Is there a risk to a business that is using a shared certificate?
It is a certificate of a content delivery network – a U.S. company Incapsula Inc. – intercepting your whole communication with the bank. The certificate itself does not pose a direct risk to customers' data, but:
Is this considered a bad practice?
Unlike the other answers, I would say it is not normal and the situation indicates a certain level of incompetence on the bank's side.
According to Incapsula's pricing plans, your bank might be using $59/month, while the company offers custom SSL for $299/month (feature "Supports custom SSL certificates") and a real plan for enterprises.
Even if the bank pays more to CDN, the bank is using functionality aimed at professional blogs and not using the features their plan/agreement offers.
Your bank may be violating privacy laws in your country by letting a company from another country, under a different legislature, process customers' personally identifiable data.
What risks are their customers are subjected to? (man in the middle? impersonation?)
The data in a encrypted between your browser and the CDN's endpoint. The private key is (hopefully) stored only on CDN's servers, so there is no risk other companies from the list could impersonate the bank.
As long as security standards are met on a link between CDN and the bank, the MitM is technically not possible either.
Notice incapsula.com
in the subject. Incapsula is a company that offers web application security that includes WAF, DDOS protection and a few more services.
My guess is that your banks website is actually proxied through their server and so are all those other sites. That server gives out the same certificate on all those sites because they are all actually proxied through the same server.
There is no reason to worry here.
This may be normal.
Banks often consolidate, purchase, cross-market, and do all sorts of things that mean that they're answering to more than one name. It is not unusual for a bank to have numerous SAN entries to allow all their varied customers to get to their web site, even if they're a customer of a bank purchased by a bank purchased by a bank purchased by a bank that was purchased by a bank that they've acquired.
You may wish to check if those other names listed resolve to the same IP address and/or are served by web sites using the same certificate. If those domains truly do share a common owner, this may be somewhat normal practice.
In security terms, it is potentially worse - if the private key is shared out to numerous servers, numerous admins - but not definitively. You don't know enough about what's actually happening behind the scenes to say.