Since Basel II becomes law - and thus it may be that the banks will ask your customers for documentation of IT security before a loan is granted (since IT security is part of the risk assessments in credit scoring):
The operational risks of a company also include the risks arising from the use of information technology in business processes. An active IT risk management is required, which deals with all aspects of IT security for the respective company. Important IT systems must be redundantly available, availability must be ensured, attacks on IT systems from inside and outside must be effectively repelled, contingency plans should be developed, and so on.
And since customers usually do not create their own documentation (which always fascinates me, because actually they should take care of security themselves, so they should also maintain their own documentation), they then demand such documentation from the service provider. Usually one day after they have been asked about the topic (e.g. when the auditor is about to refuse them the seal of approval because the documentation is missing).
Hey, that's a whole new form of corporate extortion: be cooperative, or your next IT security audit for the new loan will go down the drain.