Bankers must do their bit in battle with the black hats

Register now

(Bloomberg Gadfly) -- It's shaping up to be one of the biggest data breaches in European banking, but investors are strangely unmoved. They shouldn't be complacent.

Italy's UniCredit SpA said on Wednesday that the personal details of 400,000 borrowers had been compromised. The market kind of shrugged, pushing the shares down less than 1.5 percent by mid-morning.

At first glance, the breach looks relatively limited: UniCredit has 25 million customers worldwide. Borrowers aren't in a position to pull money like depositors. The Italian bank has pinned the blame on a contractor for what it called unauthorized access.

That looks better than Tesco Bank, which had to spend more than 2.5 million pounds ($3.3 million) reimbursing almost 10,000 customers whose accounts were hacked last year.

Still, there are reasons for concern.

First, UniCredit's disclosure has been sub-optimal so far. We know biographical details and bank account numbers may have been accessed, presumably enough to put customers at risk of identity theft. The bank hasn’t identified the contractor.

It's troubling that there were two breaches, and details of the first don't appear to have been disclosed before. The lender might have been unaware of the former until it started to investigate the latter. It owes investors a fuller explanation.

The breach inevitably raises questions about whether UniCredit has paid enough attention to operational controls and its IT systems as the company has spread its tentacles across Europe. UniCredit says it's spending 2.3 billion euros upgrading its IT systems. It may need more.

Maintaining investor confidence from here on will be critical. TalkTalk Telecom Group Plc lost about 1 billion pounds of market value over the space of a year after hackers accessed the personal details of 150,000 customers. Much of that can be attributed to a tin-eared response by management and revelations that the company hadn't implemented even basic security measures. In the end, the fine from Britain's data protection regulator was a mere 400,000 pounds.

Recent cyber-attacks on Reckitt Benckiser Group Plc and Cie de Saint-Gobain show the scale of the threat from hackers. The British consumer goods company had to cut its yearly sales forecast this month after the recent Petya attack disrupted manufacturing and distribution operations. Saint-Gobain said the incident may have knocked up to 1 percent from second-quarter sales.

Bankers, rightly, see cyber-security as the biggest threat to their business. Today's breach may be the work of a disgruntled or lackadaisical contractor. Tomorrow's could be more serious, and expensive for shareholders. Banks, who've been battling the black hats for years, have often been reluctant to talk about hacking for fear of spooking customers or giving ideas to the cyber-criminals.

Yet Reckitt, Saint-Gobain and others show the disclosure game is changing. Like the rest of the finance industry, UniCredit needs to spell out what it's doing.

For reprint and licensing requests for this article, click here.