Metaverse risks: how organizations can prepare

Metaverse risks: how organizations can prepare

“What we are seeing today with the metaverse is the evolution of how we are going to be connected to networks, digital environments, and potentially the internet,” Chalico told Insurance Business.

What types of technology are being used in the metaverse?

There are at least four different types of technology converging in the metaverse, according to Chalico:


Interfaces – also called “spatial computing,” these include the devices people use to connect to the internet or any other network, such as Meta’s Oculus Quest headset.
Game engines – these engines underpin the metaverse as digital representations or avatars that engage and interact in virtual environments.
Digital environments – augmented reality (AR) and virtual reality (VR) create the immersive experiences users would not find in the physical world.
Virtual economies – the blockchain, digital currencies and non-fungible tokens (NFTs) enable commercial transactions to occur in virtual spaces.

The metaverse creates different opportunities for companies to interact meaningfully with customers, collaborate with teams, and differentiate themselves in competitive markets. Through this new reality, customers can be transported to a retail store to browse the latest products; workers to a pipeline facility to be trained how to repair it; or pilots to a plane cockpit for flight simulations.

However, the metaverse also opens businesses up to a variety of exposures, especially if they go in without a robust cybersecurity and data privacy plan.

What are the risks associated with the metaverse?

The most significant risks associated with the metaverse are cyberattacks and data and privacy breaches. This is because virtual reality platforms collect a lot of personal information.

“The more accurate a digital representation or avatar is, the more personal information will be collected. An avatar can represent the gestures you make, the shape of your body, the color of your hair, skin, and eyes… all those elements are personal information that in many cases can be biometric and needs to be very well protected,” Chalico said.

“And if in addition to that, we are going to be performing commercial transactions in the metaverse, all of that financial data needs to be protected as well.”

Customers need to be able to consent before their data in the metaverse can be collected and shared for other purposes, like how they can consent to apps or websites they sign up for. Companies must create adequate controls for data privacy or face liabilities.

Bad actors can launch cyberattacks through vulnerable AR and VR devices, which store a huge amount of user data. Similarly, hackers can easily spoof metaverse users’ identities or steal and take over accounts. Cybersecurity for the metaverse can be uniquely challenging and require specialized expertise.

Finally, there are also physical risks associated with the metaverse. “The metaverse can be incredibly immersive, and users could be completely unaware of their physical space while they are having a metaverse experience,” Chalico said. “Organizations need to consider the risks to provide users with solid recommendations to have a physically safe experience when using the metaverse.”

How can companies avoid data and cybersecurity risks in the metaverse?

To combat these exposures, organizations should “ground [their] metaverse strategy in a holistic, privacy-by-design and cybersecurity-by-design approach,” according to Chalico.

“As a society, we tend to be focused first on making technology operational, delivering the value that is expected. Only later do we think of cybersecurity and privacy controls,” he said. “But that needs to change now that the metaverse is a reality.”

Ad hoc risk mitigation won’t be enough for companies that want to take part in the metaverse.

“Privacy by design,” an approach developed by Ontario’s former information and privacy commissioner Ann Cavoukian, calls for data privacy to be considered during the entire systems engineering process.

“The concept is about finding privacy controls before a new system or a new process is embedded into the production environment,” said Chalico.

Privacy-by-design and cybersecurity-by-design are strategies that businesses can use to create an environment of trust with customers and other stakeholders. These plans should also include a code of conduct and ethical principles that will guide the organization’s use of metaverse applications.

Chalico emphasized that the right players are needed to guide business leaders and help them create a strategy to navigate the complex risks in the metaverse. “You need to bring in privacy and cybersecurity specialists from the very beginning, before the applications and processes are designed,” he said.

What risks in the metaverse should be the most concerning for insureds? Tell us in the comments below.