A post-data breach questionnaire is essential for evaluating the impact of a third-party breach on your organization. This due diligence also ensures complaints with expanding data breach protection standards sweeping across government regulations.
This post outlines a template to inspire the design of your security questionnaire for vendors that have suffered a data breach or similar security incident.
Learn how UpGuard streamlines Vendor Risk Management >
Questions to Ask A Vendor Questionnaire Following a Data Breach
When a data breach occurs, your response time directly impacts your breach damage costs - the faster you respond, the less you will likely pay. To support faster response times, the most critical questions querying imminent cyber threats are listed first in a separate critical category. After becoming aware of a third-party breach, these are the minimal questions your cybersecurity team will need answered to understand which aspects of your incident response plan need to be preemptively activated.
The faster your incident response plan is activated, the higher your chances of protecting sensitive data from unauthorized access.
Critical Post-Breach Survey Questions for Third-Party Breach Incidents
These questions will indicate the degree of the cyber attack that's still in progress and whether hackers are still inside the network. This understanding will help incident response teams decide which aspects of the data breach response plan should be prioritized.
When supporting documentation is supplied, please indicate the question number it applies to.
1. Is the cyber attack still in progress?
- Yes
- No
- Free Text Field
1 (a). If a data breach is still occurring, have you set a defensible path?
- Yes
- No
- NA
- Free Text Field
2. Describe the nature of the security breach
For example, ransomware attack, malware injection, data breach, data loss, etc.
- NA
- Free Text Field
2 (a) If you suffered a ransomware attack, has a ransom been demanded?
For example, ransomware attack, malware injection, data breach, data loss, phishing attack,
- Yes
- No
- Free Text Field
2 (b) If you suffered a ransomware attack, have you paid the ransom?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
Remember, the FBI strongly advises against ever paying ransom demands. Doing so never guarantees the restoration of your systems. Instead, it funds the growth of ransomware gang operations.
3. Has the cyber threat been contained?
- Yes
- No
- NA
- Free Text Field
4. What is your current awareness of sensitive data types that have been compromised?
For example:
- Social security numbers
- Personally Identifiable Information (PII)
- Credit card numbers
- Phone numbers
- Customer or employee contact information
- NA
- Free Text Field
4 (a) If compromised data involves sensitive personal information, have you complied with appropriate breach notification rules?
Regulations, such as HIPAA and Australia’s Notifiable Data Breach Scheme, have strict notification policies that must be adhered to.
If you’re covered by the health breach notification rule, you need to notify:
- The FTC
- Affected individuals
- The media (in some cases)
If you’re covered by the Health Insurance Portability and Accountability Act (HIPAA), you need to notify:
- Secretary of the U.S. Department of Health and Human Services (HHS)
- Affected individuals
- The media (in some cases)
Learn how UpGuard protected the healthcare sector from data breaches >
Depending on your industry and country of operations, you, or your vendor, may be bound to other breach notification laws and state laws with different breach reporting expectations.
- Yes
- No
- NA
- Free Text Field
5. Are you aware of any compromised sensitive information linked to my business or customers?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
5. (a) If you answered Yes, describe all the types of data
- Free Text Field
6. Have you contacted a law enforcement agency about the incident? If so, advise which agency was contacted.
- Yes
- No
- NA
- Free Text Field
7. Do you know what the initial attack vector was?
For example, phishing attack, software vulnerability, unsecured API, misconfiguration, etc.
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
7 (a). If you answered Yes, describe the nature of the initial attack vector
- NA
- Free Text Field
7 (b). If you answered Yes, has the attack vector been secured?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
8. Have incident management or incident handling plans been activated?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
Questions Evaluating The Scope of the Data Breach
These questions will help your response team understand the scope of damage suffered by the service provider. This knowledge may help with estimating the likely impending impact on your business.
1. Was any of the compromised data encrypted?
- Yes
- No
- NA
- Free Text Field
1 (a). If you answered Yes, what type of impacted sensitive data was compromised?
- NA
- Free Text Field
- Ideally, also provide supporting documentation
2. List all entities that have been alerted of the incident
Include any legal counsel. gov agencies,
- NA
- Free Text Field
3. What is the total estimated impact of the breach?
For example, 10,000 customers compromised.
- NA
- Free Text Field
4. Has the security incident resulted in a violation of any regulations? If so, list the regulation and, if possible, the specific standards that were violated.
For example, HIPAA< GDPR, CCPA, PCI DSS, etc.
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
5. Have you communicated the incident with any of your stakeholders?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
5 (a). If you answered yes, could you provide a copy of the response process report you provided your stakeholders?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
Learn how to write the executive summary of a cybersecurity report >
6. Has an independent audit been completed to determine the cause of the breach and the scope of its damage?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
Questions Evaluating the Risk of Repeated Incidents
1. What is your plan for mitigating future information security incidents like this?
Include details of how your response policy and remediation processes have been optimized to better address similar incidents.
- Free Text Field
- Ideally, also provide supporting documentation
Download this whitepaper to learn how to defend against data breaches >
2. Which cybersecurity framework do you currently have in place?
For example, the National Institute of Standards and Technology (NIST) Cyber Security Framework.
- Free Text Field
- Ideally, also provide supporting documentation
4. Do you have a Third-Party Risk Management (TPRM) program in place?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
3. When was the last time you completed a self-risk assessment?
- NA
- Free text field for more information
For ideas about how to streamline your risk assessment workflow, watch this video.
4. How often are your security policies and data security controls tested by an independent auditor?
- NA
- Free Text Field
- Ideally, also provide supporting documentation
5. Have you performed a root cause analysis for this incident?
- Yes
- No
- NA
- Free Text Field
- Ideally, also provide supporting documentation
Streamlined post-breach questionnaire workflows with UpGuard
UpGuard’s questionnaire library includes a post-breach questionnaire alongside many other industry-standard security questionnaires. All these questionnaires are supported by management features commonly requested by risk management teams to streamline Vendor Risk Management, including complete customization and completion status tracking.
To address the frustration and time-consuming process of answering repeated questionnaires, UpGuard has launched an AI Autofill feature, allowing vendors to select responses from a repository of previously submitted questionnaires. By completely alleviating the need to maintain an up-to-date record of all questionnaire responses in a spreadsheet, with UpGuard’s AI Autofill feature, vendor questionnaires can be completed in hours instead of days (or weeks).
Watch this video for an overview of UpGuard's AI Autofill feature.
