The intent is not to be punitive. The goal is to force all partners to take their security as seriously as you do.
Oh, one other thing. If a partner offers you better security — as in two-factor authentication — take it up on it. The refusal by the bank won’t play well in a courtroom if lawsuits result from this attack.
Given that we are talking policy, you might want to consider a rule that no one can decline a partner’s extra security offer without several levels of approval. In writing. Nothing makes employees take security more seriously than the threat of paperwork.
Sign up for CIO Asia eNewsletters.