Many risks companies face in the real world will exist in the metaverse, albeit with a digital twist. For example, many metaverse projects involving the use of a “currency” feature their own native coins, which in many instances can be swapped for other cryptocurrencies or even fiat currency. These activities and operations may lead to allegations of wrongful acts implicating directors and officers (D&O) or errors and omissions (E&O) coverage, among other types of coverage. Many metaverse projects will feature content creation that could implicate intellectual property rights, thereby triggering these same coverages or, potentially, commercial general liability (CGL) coverage or specialized intellectual property coverage. In the metaverse, people can interact with each other via their avatars and haptic feedback and, in some cases, may be accused of causing emotional distress or other torts through those interactions. Events like that may trigger a variety of liability insurance policies, including, if occurring within the virtual workplace, employment practices liability policies. These examples, and the examples set forth below, are just a sample of the core insurance coverages that could be implicated by risks presented by the metaverse.
D&O insurance shields a company’s board and management and protects their personal assets from liability. It typically insures claims made against (1) the directors and officers when the company does not indemnify them (“Side A” coverage) and (2) the company itself when it is required to indemnify its directors and officers for those claims (“Side B” coverage). D&O policies also can include entity coverage protecting the company against its own liability in a securities claim or (in the case of private companies) any non-excluded claim made against the company (“Side C” coverage). D&O insurance is particularly important because it can cover defense costs and indemnity for a variety of claims and suits, depending on the policy language.
D&O risks presented by the metaverse may include:
- Securities claims
- Intellectual property claims
- Breach of fiduciary duty claims
- Misrepresentation claims
- Shareholder and derivative lawsuits
- Regulatory investigations
An insured must be wary of the specific terms and provisions of their D&O policies. While existing D&O policies likely would cover metaverse-related claims for directors and officers of companies entering the metaverse in the same manner that they cover non-metaverse claims, many insurers deny coverage for cryptocurrency-related losses or issue policies with language severely limiting such coverage. In particular, companies dealing in cryptocurrency should be mindful of the definition of a “Securities Claim.” Depending on the policy language and the applicable law of the jurisdiction, a D&O policy may protect a company and/or its management from metaverse-related liability as a “Securities Claim.”1
Additionally, regulators in the future could investigate metaverse companies for a variety of alleged acts or omissions involving operations, cryptocurrency and non-fungible token (NFT) transactions, user conduct, and privacy and data security, to name just a few. These investigations can be costly. A D&O policy may cover some or all of the costs associated with such an investigation. However, it is important to ensure that the policy does not exclude investigations for cryptocurrency-related activities or the insured’s operations in the metaverse.
Cyber and crime
With its increasing adoption, the information stored in the metaverse will entice bad actors who want to steal valuable data and items. Among other things, hackers could target:
- User information and sensitive data (including biometric data)
- User identity information and credentials
- Confidential and proprietary information
- Cryptocurrencies and NFTs
Cyber and crime insurance can mitigate some of these risks. Cyber insurance is designed to provide first- and third-party coverage for claims arising out of security or privacy breaches, such as ransomware attacks or cyber extortion. Depending on the policy language and coverages purchased, cyber insurance may provide coverage for costs of investigation, ransom payments, data recovery and restoration, crisis management, business interruption, and liability claims for disclosure of or failure to protect confidential information.
Similarly, crime coverage may cover losses arising from certain criminal incidents, such as theft of money, securities, or property; ransomware attacks; social engineering; fraud; and phishing, among others. In a recent case in New York, a court examined coverage under an identity theft policy for the theft of private key credentials to an insured’s cryptocurrency account and subsequent looting of the insured’s cryptocurrency.2 The court partially sided with the insured, finding that the hack and subsequent theft of the insured’s private keys constituted a covered “Stolen Identity Event.”3 The court permitted the insured’s stolen key credentials claim to proceed, but held that the insured was not entitled to remediation coverage for its lost cryptocurrency because the private wallet was not an “Account,” i.e., an account in a U.S. regulated and domiciled financial institution.4 The decision demonstrates challenges in obtaining coverage for emerging metaverse-related risks, including crypto.
It is important to note that cyber and crime policies sometimes include language purporting to limit or exclude coverage for cryptocurrency and digital asset-related losses. An insured must be wary of such exclusions and – as is true regarding many risks associated with the metaverse – consider negotiating more favorable terms.
Metaverse projects may involve alternative governance structures, e.g., decentralized autonomous organizations (DAOs). For this reason, nontraditional organizations and companies active in the metaverse must be particularly careful in naming the correct entities as insureds under their policies. In many jurisdictions, DAOs are not legal entities so they may be precluded from purchasing insurance policies and may need to secure insurance through another legal entity structure. Some DAOs have foundations to protect their legal rights (e.g., The Decentraland Foundation), while others may utilize more traditional forms of corporate governance. Either way, a company must ensure that it and its board and management have adequate insurance coverage against risks presented by the metaverse.
If metaverse-related losses or liabilities arise, companies should take a careful look at their existing insurance programs to see whether coverage may be available. Companies operating in the metaverse should also keep abreast of any new insurance products for metaverse applications, such as specific coverages for digital assets. As this area develops, it is especially important to retain experienced insurance coverage counsel to assist with negotiating and procuring insurance and in navigating any disputes that may arise related to losses and claims.
- At the time of writing, it is not clear whether cryptocurrency is a security under U.S. law. In S.E.C. v. Ripple Labs, Inc., No. 20-cv-10832 (S.D.N.Y. 2020), a U.S. federal court is considering arguments from the U.S. Securities and Exchange Commission that Ripple’s cryptocurrency, XRP, is a security.
- Atwal v. NortonLifeLock, Inc., No. 20-cv-449S, 2022 U.S. Dist. LEXIS 93153 (W.D.N.Y. May 24, 2022).
- Id. at *13-18.