With electronic connections between businesses increasing, businesses will need a way to determine if a potential connection is reasonably safe. Eventually, some sort of audit and rating system will be needed so that businesses can selectively make these sorts of determinations. Different aspects of a potential connection's secureness could be evaluated including primary risks (physical location, hardware, security software,...), secondary risks (third-party connections, outsourced activities, end-user devices,...), operational policies (access procedures, upgrade frequency and process, scheduled and unscheduled downtime,...), etc.

I personally think that the IT "industry" should attempt to do some self-policing before governments mandate it. Having experience in various business and technical functions, I've seen the broad impact of the Sarbanes-Oxley Act and know that much of it has become window dressing with little real benefit (other than employment of auditors and consultants). A similar attempt in the IT world could be extremely costly and unproductive.