A live case shows why banks answer to a clock that vendors and consulting firms still don’t.

Accenture confirmed a data breach this week, after a hacker put its data up for sale and journalists started asking questions.

Essentially, consulting firms and vendors aren’t obligated to follow any disclosure timeline. Contrast that with a bank, and a real inconsistency shows up.

The Clock Banks Don’t Get to Negotiate

MAS requires banks to notify within one hour of discovery, before root cause is even known. The clock starts the moment you find out, not the moment an investigation concludes. Regulators don’t give banks the option to ask themselves who’s entitled to know first, and how fast, because delay itself is the danger.

The Clock Vendors Still Don’t Have

In November 2025, EU regulators named Accenture one of 19 firms critical enough to the financial system to warrant direct oversight under DORA, the same list as AWS and Microsoft.

Yet still no obligation to say anything publicly before the hackers do. Why not?

A Harder Problem Than It Looks

Because nobody has figured out the cost calculus for vendors yet. Partly also because cybercrime forums routinely overstate their claims, and the media coverage that follows adds to everyone’s anxiety before anything is confirmed.

In 2024, the same threat actor, “888,” claimed to have stolen data on 32,826 Accenture employees. The investigation found just three real names. This week “888” is back, claiming 35GB of Accenture’s source code. Given that track record, waiting for the investigation to conclude is a reasonable position, and Accenture’s statement so far, “an isolated matter, remediated, no impact to operations,” is consistent with that caution.

The Trade-off Nobody Has Asked Vendors to Make

Besides regulatory mandate, banks have accepted false alarms as the price of speed because the downside of being late is systemic. Vendors haven’t been asked to make that trade yet, but as DORA’s own reach into firms like Accenture shows, regulators are starting to think they should be.

Sources

About the Author

Viren Mantri is a cybersecurity advisor and former senior technology leader across Standard Chartered, UBS, McAfee, and KPMG. After three decades at the intersection of technology, risk, and regulation, he now helps organisations cut through complexity and make better security decisions.

CC-BY Viren Mantri, 2026, licensed under a Creative Commons Attribution 4.0 International License.

Disclaimer: All views expressed here are entirely mine.