Author: John Farley
Those tasked with managing cyber risk must juggle a variety of dynamic challenges. Understanding emerging threat vectors, maintaining a working knowledge the latest cyber defense technology, complying with a patchwork of evolving state, federal and international privacy laws — while navigating a complex cyber insurance marketplace — are on the long list.
While risk managers grapple with all of these challenges, a new cyber risk landscape is emerging with its own challenges and opportunities. We are on the precipice of what's known as the metaverse. Its foundation is being built as you read this, and it may well impact every element of cyber risk management as you know it.
The metaverse defined
Simply put, the metaverse is a place that will allow our physical and digital lives to converge. It will create a virtual reality where we can work and play in simulated environments that reflect our real worlds in astonishing accuracy.
In the early stages of its development, the metaverse will require physical tools such as headsets, glasses, gloves and wristbands while leveraging massive computing power. Users will create their digital likeness in the form of an avatar. They will maintain ownership of their virtual identities and digital assets via blockchain technologies and smart contracts.
Individuals across demographics may use it, as well as businesses that cut across almost all industry sectors. Real estate professionals, fitness instructors, educators, religious institutions, healthcare workers, entertainers and just about every professional service provider may leverage the immersive metaverse experience to provide their goods and services.
Risks associated with metaverse technology
History tells us that, as a society, we tend to embrace new technologies with open arms as soon as they become available. However, we don't always fully appreciate the risks of doing so, and we tend to pay the price later on.
Mobile devices decentralized computing and stored our most sensitive data. When we lost them, we realized they weren't always password protected or encrypted. Industrial controls, some housed within our critical infrastructure, quickly became automated, but not necessarily secured from cyber threat actors, including unfriendly and powerful nation states. Automobiles are becoming autonomous, but it remains uncertain where our driving data is stored, who has access to it, and whether these cars can be hacked as we drive at high speeds.
Therefore, it's incumbent on cyber risk professionals to take advantage of the small window of opportunity we have in the early building stages of the metaverse, with an eye toward managing what will likely be the key risk management pain points: privacy and compliance; financial fraud, misrepresentation and copyright infringement; and physical threats.
Privacy and compliance in the metaverse
When creating avatars, many areas need to be clarified, such as:
- What personal information will be required when creating an avatar
- Who can create one
- Who's responsible for validating, storing and securing these data elements
We're currently sorting through geographic-specific privacy laws that mandate complex data security and collection compliance requirements. These laws include, but aren't limited to, data access on blockchains, data transfer, data sharing, rights to data erasure and even the use of our biometric data.
Regulations for compliance with severe penalties for non-compliance exist across the globe, with multiple privacy regimes playing a role in enforcing them. There's reason to believe they will extend in some way from today's businesses and their data subjects to their avatars in the metaverse.
Financial fraud in the metaverse
We'll likely be subject to social engineering attacks as we know them today, but need to prepare for more sophisticated attacks involving new technology and platforms associated with the metaverse. Threat actors may have greater access to do reconnaissance as they interact with avatars in a more extensive and personal way than ever before.
Further, users will have a greater reliance on cryptocurrency and their platforms as they transact business in the metaverse. Recent history has proven that cryptocurrency is fertile ground for hackers, with reports of massive cryptocurrency theft occurring regularly. The cryptocurrency ecosystem attack surface will expand significantly in the metaverse, requiring a greater security posture for those operating in it.
Misrepresentation and copyright infringement in the metaverse
An accurate depiction of real-world products via three-dimensional representation will be a requirement in the metaverse. Many organizations will contract with external parties to do accurate depictions. What's considered an accurate depiction may be subjective, and opinions may differ among businesses selling a product or service, the vendors that create and market its digital twin and the consumer that buys it.
Copyright issues may also arise, as claims to ownership of real-world assets may reach to their digital likeness that another party might have created.
All of these issues could open an array of legal liability theories that have yet to be tested in the metaverse.
Physical threats in the metaverse
Online threats are nothing new, but metaverse technology may heighten the dangers to the real world in significant ways. Child predators may have greater access to potential victims and be even further enticed to carry out criminal behavior as digital likenesses become more realistic and interactive. Terrorists may be able to train in virtual landmark buildings with access to detailed layouts of properties. The same can be said for criminals looking to rob commercial businesses and homes.
Cyber insurance implications
In its relatively short life, we have seen the cyber insurance marketplace evolve in significant ways, almost in lockstep with the evolving cyber threat landscape. Policies are written on manuscript forms, giving the hundreds of cyber insurance carriers flexibility to adapt their own policy forms.
In today's difficult cyber threat environment, the market seems to be pulling back in both the scope of coverage and the capacity to provide enough limits to meet demand. As the metaverse gains traction and greater adoption, buyers need to be aware of some key coverage nuances that may impact cyber risk transfer:
- Regulatory risk: The metaverse will likely increase regulatory risk for organizations. Some cyber policies are quite broad in covering it; others aren't. Coverage for costs related to regulatory investigations, lawsuits, settlements and fines may vary. Policy wording can restrict coverage to specific privacy laws, require a data breach to trigger coverage, or exclude it altogether.
- Crisis management experts: Most cyber policies provide experts to help mitigate the financial and reputational harm associated with cyber incidents, and those experts will be as important in the metaverse. Legal experts will need to have a greater understanding of how to navigate the metaverse-specific privacy and compliance issues. IT forensic investigators will need deep knowledge of the various metaverse technology tools and platforms to help organizations recover from incidents quickly and efficiently. Some underwriters allow their clients to use non-panel experts, subject to underwriter approval. However, it's important that these experts demonstrate expertise in the metaverse before being tasked to do so.
- Digital asset restoration: Some cyber policies provide coverage for costs associated with hiring experts to restore or replace data affected by cyber incidents. In the metaverse, we'll see new types of data, such as non-fungible tokens (NFTs), which are often defined as records associated with specific digital or physical assets. Policy language should be clear as to which digital assets are covered in metaverse-based losses, and to what extent.
- Media liability: Some cyber policies provide coverage for copyright and trade infringement in cases that involve websites and social media platforms. It remains unclear if this will extend to the metaverse, so careful consideration the policy wording that expands or constricts coverage for metaverse-based copyright and trademark infringement claims.