4 metaverse risks to address today — even if you’re just getting started

1. Identity: Are your metaverse users who they say they are?

If you can’t be sure that your metaverse users are who they claim to be, then nearly all your metaverse activities could be sources of risk. Data or digital assets could be stolen. Customer and employee experiences could be corrupted and their transactions compromised. Your users could be victims of scams, for which they’ll have little recourse. Compliance with privacy, anti-money laundering, know-your-customer and other rules could be threatened.

Identity security that balances trust and convenience is already challenging on the internet — and some metaverse platforms are adding a new challenge: user-owned, decentralized identities. Such identities are rare right now but may soon become more common. If your users’ identities are owned by them, not by your company or a platform provider, you may face new complications with authorization and authentication protocols.

Here are some measures that can help you make and keep metaverse identities trustworthy.

• Act to detect anomalies. Update know-your-consumer (KYC) protocols and intelligent log monitoring — which leverages unsupervised machine learning — to help spot authentication anomalies, account takeover attempts and bot-users in the metaverse.

• Upgrade authentication. Adaptive, risk-based and multi-factor authentication can help build trust in identities. For sensitive transactions, add multi-signature verification — which requires that multiple identities be confirmed.

• Use metaverse-specific security tech. Consider persistent digital identity verification, blockchain-based credentialing (such as token-gated access verified with digital wallet connections) and diligent authorization protocols for added convenience and security.

• Watch and shape the future. Monitor, follow or engage with coalitions developing and shaping metaverse identities.

2. Security: Can you keep your metaverse operations safe?

Whatever your metaverse initiative may be — a virtual storefront or upskilling space, a recruiting presence or a digital twin of your operations or marketplace — it could create a new three-dimensional attack surface. Cyber criminals could conduct phishing attacks on your employees and customers, steal data and digital assets, pervert financial transactions or tamper with the smart contracts that may automate activities like transactions and data governance.

Adding to the challenge, in the metaverse it’s often unclear who’s responsible for what security where, and where victims can turn for recourse. If you use third parties to help you offer metaverse environments and services, you may face fourth-party risks from your providers’ providers. Your security risk footprint will also differ depending on whether you use a “private” metaverse platform, which limits who can access experiences and data, or a public one.

These steps can help you address these security challenges.

• Develop secure architecture. Metaverse-specific baseline configurations, along with aggressive patching and vulnerability management — informed by up-to-date threat intelligence — can provide security-by-design and strong cyber hygiene.

• Transform cybersecurity. Create metaverse-specific governance and service catalogs and verify that your infrastructure and security capabilities can protect metaverse assets and data.

• Address digital asset risks. If your metaverse activities and transactions include cryptocurrencies, NFTs or other digital assets, implement new controls designed for digital assets and the smart contracts that govern their verification and transfer.

• Secure metaverse supply chains. Reduce third- and fourth-party risks by rigorously assessing the terms and representations of contracts and licenses, and by monitoring the platforms, providers or blockchain-based exchanges on which your metaverse activities and transactions depend.

3. Data and privacy: Can you access and safeguard the insights you need?

The metaverse’s immersive, three-dimensional digital world can enable you to gather new insights — including behavioral insights — into customers, employees and suppliers. This rapid evolution can make existing data governance programs obsolete and create lags in the regulatory framework. Yet, users should trust that your metaverse initiatives will safeguard their privacy rights. Otherwise they may refuse to share their data or avoid your metaverse spaces.

The right measures can empower you to collect the anonymized data you need and keep it secured, well mapped, up-to-date and accurate. They can also help you use, share and disclose this data in accordance with regulatory and contractual requirements as well as your stakeholders’ wishes.

• Create a metaverse-specific data strategy. Your strategy should cover both potential first-party data gathering and working with new data providers. Be sure to consider fourth-party risks. If platforms or other metaverse services providers have access to your data, their service providers could have access too.
• Reevaluate transparency, choice and consent. Align these operations with your metaverse-specific data strategy and consider that traditional approaches to transparency, choice and consent may not be viable in the metaverse.
• Prepare for multiple platforms. Develop data gathering, governance, analytics and security that can follow your operations and stakeholders across multiple metaverse platforms or environments.
• Uplift privacy-by-design. Prioritize risk mitigation and user experience. Build in red-teaming and monitoring throughout the data life cycle to identify and manage risks before they cause harm.
• Address blockchain implications. If applicable, consider the impact of storing sensitive data on blockchains — where data may be unerasable — on data retention and destruction policies, and on regulatory or contractual requirements. If needed, privacy-enhancing technologies can help secure sensitive on-chain data without compromising its utility.

4. Content moderation: Can you protect your users and brand?

Your stakeholders expect to be protected when they enter your virtual spaces, so it’s up to you to prevent misinformation, targeted scams and other abuses. Bot-users and generative-AI-created deep fakes and impersonations can magnify misinformation — or deceive users into believing that they’re interacting with a trusted contact. Abuse can be both hard to stop, since metaverse interactions take place in real time, and traumatic since metaverse experiences can be so immersive. Newer consumers — among the greatest metaverse enthusiasts — could encounter inappropriate or predatory content.

Content moderation has to both provide a safe experience and keep that experience compelling — without making your users feel censored or surveilled as you monitor not just text but real-time conversations and behavior. These measures can help.

• Deploy new protocols. Automated moderation, with clear rules for escalation to human oversight, can counter misinformation and abuse from both malicious actors and your own users.
• Keep an eye on generative AI. Specialized software can automatically help identify and block malicious content created by generative AI.
• Moderate content transparently. Set clear rules for moderation decisions and respond quickly and openly to user concerns and feedback.
• Go beyond mere compliance. To create lasting trust, don’t just obey the letter of the law. Align content moderation guidelines with your company’s values and purpose.

Build a foundation today for trust tomorrow

Security, identity, data and content moderation risks are the most urgent today, but they’re not the only ones that the metaverse may pose. As your company’s metaverse initiatives grow, you’ll likely need to consider a holistic metaverse risk taxonomy, covering these areas:

• Commercialization
• Cyber security and fraud
• Compliance and legal
• Operational
• Financial and economic (for both your organization and stakeholders)
• Brand reputation and consumer trust
• Consumer health and safety
• Increased privacy considerations

The good news is that these risks shouldn’t be intimidating. The metaverse can still be considered new. If you act now, you can avoid the mistake that many companies made with the internet — where they first rolled out initiatives, then raced after the fact to close vulnerabilities. Instead, you can design your metaverse initiatives so that trust will be built in from Day One. Trust by design can help reduce risks and costs and differentiate your brand in this new digital world.

To deploy trust-by-design in metaverse initiatives, here are some ideas for how risk officers, compliance officers and internal audit leaders can get started — in close coordination with your company’s metaverse leader and its chief information and information security officers.

1. Assess your potential. Starting with the four sets of risks we’ve already discussed, determine the challenges that current or proposed metaverse initiatives pose — and how well your existing policies and internal controls can manage them.
2. Enhance, then add. The most cost-effective and seamless way to manage metaverse risks is to enhance existing controls and processes. You should also identify where that won’t be sufficient and add new controls, often with new technologies.
3. Consider values and demographics. As you prepare to create metaverse environments, moderate their content and gather data, make sure that your choices reflect the values of your organization and your target demographics.
4. Stand up governance, compliance and audit. Create metaverse-specific processes and structures for governance, compliance and audit and determine the frequency, format and sequence of governance, compliance and internal audit reviews.
5. Make it transparent. With your metaverse risk management up and running, set measurable metrics and embed reporting structures so that you can report progress to stakeholders at clearly set intervals — since transparency is a foundation of trust.