Blogpost

Managing Risk In The Metaverse

Madonna entered the metaverse last week when she released her hyped non-fungible token (NFT) art series. Over the weekend, the “Material Girl” acquired an immaterial (but collectible) Bored Ape #4988 with NFTs equal to 180 ether or $564K at time of settlement.

Top-notch celebs have been exploring digital assets in the space known as the metaverse and so have top-notch third-party risk management (TPRM) practitioners.

At Shared Assessments Summit, we brought together a panel to explore privacy in the metaverse – the future of the internet – so we might all acquire Bored Apes with lower risk. Or…just so we can leverage emerging technologies responsibly in our risk management and business practices.

Panelists in our metaverse session included experts in the social media, security and creative industries:

  • Adam Stone, Vice President Service Delivery and Chief Privacy Officer, TrustMAPP
  • Frances Haugen, Facebook Whistleblower
  • Lisa O’Connor, Global Head for Innovation In Security, Accenture
  • Jesse Bryan, CEO, Belief Agency

What is the metaverse?

In the past, we interacted with internet technologies simply to consume data. There was no sense of place or persistence. The metaverse describes a set of technologies – augmented reality (AR), mixed reality (MR), virtual reality (VR) – enabling experiences anchoring a sense of place and encouraging a sense of ownership.

The metaverse includes displays that are embedded in everyday objects: glasses, contact lenses, headsets and omnidirectional treadmills – the stuff of sci fi. With roots in science fiction and the virtual environs of video games, the metaverse now plays an important role in contemporary, mainstream business.

Routine online video meetings, chat threads, and simulations of the supply chain and factories are tangible, everyday instances of businesses in the metaverse.

Notably, the number one buyer of headsets in Q4 were B2B enterprises. As organizations transformed operations during COVID, they were forced to enter the metaverse via new modes of collaboration and interaction to keep business moving forward.

Where does the term metaverse come from?

The term “metaverse” was first coined by novelist Neil Stevenson in 1992 in his science fiction book Snow Crash. (More recently, Ready Player One by Earnest Cline conveys an immersive VR world and serves as an “imaginative reference point” in discussions about the metaverse.)

“….We have a small, extremely literate power elite—the people who go into the Metaverse, basically—who understand that information is power, and who control society because they have this semimystical ability to speak magic computer languages,” Stevenson describes in Snow Crash.

This description is akin to the Facebook platform Frances Haugen described in her keynote address on risk and social media during Summit.

What role do artificial intelligence (AI) and blockchain play in the Metaverse?

In risk management, we must understand AI from a risk perspective and think about the algorithms powering the technology. How was the technology created? How is it traded? What core data is used? As we engage with blockchain technologies understanding the mechanics of the ecosystem is essential for business (cryptocurrency still involves contracts!).

The metaverse offers the opportunity for decentralized communication. In the metaverse, we might sit in a virtual bar together, or we might run through a virtual forest and shooting things together. We might play against AI for a virtual opponent. The metaverse is where we have realistic relationships with synthetic humans powered by AI.

Virtual girlfriends are on the rise globally as bots deliver more and more realistic conversations. People are beginning to form real emotional connections with virtual avatars; surrogates for real human connection will mean alienation across society.

What challenges will the metaverse create in the world of privacy and security?

Immersive technologies initially developed for entertainment or gaming experiences were not constructed for business, they are not secure by design. For regulated industries, how do you know if your controls exist when you put on the VR headset? Remember your policies and processes as experiences become more immersive.

Additionally, identity is an important concept. With device capability, we all have several personas. Is that a self-sovereign identity? Do we get to decide who has our data or not? Understanding your relationship with your business partners, third party suppliers, customers, clients is key. Who are you serving in those experiences and what identity do you need to serve?

Data protection is key as immersive experiences and equipment generate more data. Analytics and social media are one thing, telemetry coming from headsets is another. Who gets the data of every minute facial movement, pupil dialation and expression? The attack surface for data is expanding.

Also, bioinformatics (technologies used to collect, store, analyze and disseminate biological data and information) are subtle enough to diagnose Parkinson’s or dementia early. There could be serious HIPAA implications to this data.

In terms of systematic risk, our children are growing up in a space where they can be anything they want, but only online. This generation does not understand the value of cultivating and personal relationships.

We need to be aware of the terrorism that could be perpetuated by the metaverse. The US military has a legacy of using video games as a training and recruitment tool. What happens when terrorist regimes groom children into radicalization through immersive games? Children are responsive to the feeling of power and would be compelled to join in-person military games.

What should Risk Management do to mitigate risks emerging in the metaverse?

Understanding the speed at which the business is moving is incredibly important.

Check with your CFO to find out who has spent on equipment internally, trace the money and see who is making investments in either services or technologies to prototype and to start their journey in the metaverse. Get a sense of the skills and risk assessment capabilities you are going to need for the metaverse.

For years, we have been making companies billions of dollars by giving them our time, money and content in exchange for the dopamine hit of a social media “like” or a “share”. We need to come to social media platforms with a shared perspective and framework that says we have assessed the risks and determined what we need as a corporation for these systems to be safe.

Brands are trying to enter the metaverse but often have no idea how to do it successfully which introduces security risks. Blockchain technology is connected to hot wallets (wallets connected to the internet). There is tremendous risk opportunity from a security standpoint.

The metaverse has boosted the creator economy (software-facilitated economy that allows creators to earn revenue from their creations). Creators can digitally package up their work and call it an asset, and that is an abstraction. Think about your company’s IP including how you produce your brand – is IP a digital asset in this economy?

With incredibly successful and creative one person companies starting in the metaverse, as risk managers, you must know the technologies your organization uses, understand the maturity of these technologies, and know who is behind the technologies.

In Conclusion

Third Party Risk Management and Madonna might be new to the metaverse, but Snoopdog has been around awhile. The Doggfather’s “Next-Generation Unique Avatars” are long sold out.