Looking to streamline your TPRM? Join our Product Deep Dive Webinar with live Q&A!
Register Now
Blog
Resources
Blog
Breaches
eBooks, reports, & more
Events
News
Third-Party Risk Management
Categories
Attack Surface Management
Company News
Compliance and Regulations
Cybersecurity
Data Breaches
DevOps
Human Cyber Risk
Risks and Vulnerabilities
Third-Party Risk Management
Vendor Risk Management
Vendor Post-Data Breach Questionnaire (Free Template)
Last updated
November 18, 2024
{x} minute read

Vendor Post-Data Breach Questionnaire (Free Template)

Get a demo
Free trial
Download the PDF guide
Free trial
Written by
Edward Kost
Senior Cybersecurity Writer
Edward is a cyber writer with a mechanical engineering background. His work has been referenced by academic institutions and government bodies.
Reviewed by
Kaushik Sen
Chief Marketing Officer
Kaushik has a background in software engineering, enterprise solution architecture, and data analytics. He brings a unique, data-driven perspective to cybersecurity education.
Table of contents

A post-data breach questionnaire is essential for evaluating the impact of a third-party breach on your organization. This due diligence also ensures complaints with expanding data breach protection standards sweeping across government regulations.

This post outlines a template to inspire the design of your security questionnaire for vendors that have suffered a data breach or similar security incident.

Learn how UpGuard streamlines Vendor Risk Management >

Questions to Ask A Vendor Questionnaire Following a Data Breach

When a data breach occurs, your response time directly impacts your breach damage costs - the faster you respond, the less you will likely pay. To support faster response times, the most critical questions querying imminent cyber threats are listed first in a separate critical category. After becoming aware of a third-party breach, these are the minimal questions your cybersecurity team will need answered to understand which aspects of your incident response plan need to be preemptively activated.

The faster your incident response plan is activated, the higher your chances of protecting sensitive data from unauthorized access.

Critical Post-Breach Survey Questions for Third-Party Breach Incidents

These questions will indicate the degree of the cyber attack that's still in progress and whether hackers are still inside the network. This understanding will help incident response teams decide which aspects of the data breach response plan should be prioritized.

When supporting documentation is supplied, please indicate the question number it applies to.

1. Is the cyber attack still in progress?

  • Yes
  • No
  • Free Text Field

1 (a). If a data breach is still occurring, have you set a defensible path?

  • Yes
  • No
  • NA
  • Free Text Field

2. Describe the nature of the security breach

For example, ransomware attack, malware injection, data breach, data loss, etc.

  • NA
  • Free Text Field

2 (a) If you suffered a ransomware attack, has a ransom been demanded?

For example, ransomware attack, malware injection, data breach, data loss, phishing attack,

  • Yes
  • No
  • Free Text Field

2 (b) If you suffered a ransomware attack, have you paid the ransom?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation
Remember, the FBI strongly advises against ever paying ransom demands. Doing so never guarantees the restoration of your systems. Instead, it funds the growth of ransomware gang operations.

3. Has the cyber threat been contained?

  • Yes
  • No
  • NA
  • Free Text Field

4. What is your current awareness of sensitive data types that have been compromised?

For example:

  • Social security numbers
  • Personally Identifiable Information (PII)
  • Credit card numbers
  • Phone numbers
  • Customer or employee contact information

  • NA
  • Free Text Field

4 (a) If compromised data involves sensitive personal information, have you complied with appropriate breach notification rules?

Regulations, such as HIPAA and Australia’s Notifiable Data Breach Scheme, have strict notification policies that must be adhered to.

If you’re covered by the health breach notification rule, you need to notify:

  • The FTC
  • Affected individuals
  • The media (in some cases)

If you’re covered by the Health Insurance Portability and Accountability Act (HIPAA), you need to notify:

  • Secretary of the U.S. Department of Health and Human Services (HHS)
  • Affected individuals
  • The media (in some cases)

Learn how UpGuard protected the healthcare sector from data breaches >

Depending on your industry and country of operations, you, or your vendor, may be bound to other breach notification laws and state laws with different breach reporting expectations.
  • Yes
  • No
  • NA
  • Free Text Field

5. Are you aware of any compromised sensitive information linked to my business or customers?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

5. (a) If you answered Yes, describe all the types of data

  • Free Text Field

6. Have you contacted a law enforcement agency about the incident? If so, advise which agency was contacted.

  • Yes
  • No
  • NA
  • Free Text Field

7. Do you know what the initial attack vector was?

For example, phishing attack, software vulnerability, unsecured API, misconfiguration, etc.

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

7 (a). If you answered Yes, describe the nature of the initial attack vector

  • NA
  • Free Text Field

7 (b). If you answered Yes, has the attack vector been secured?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

8. Have incident management or incident handling plans been activated?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

Questions Evaluating The Scope of the Data Breach

These questions will help your response team understand the scope of damage suffered by the service provider. This knowledge may help with estimating the likely impending impact on your business.

1. Was any of the compromised data encrypted?

  • Yes
  • No
  • NA
  • Free Text Field

1 (a). If you answered Yes, what type of impacted sensitive data was compromised?

  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

2. List all entities that have been alerted of the incident

Include any legal counsel. gov agencies,

  • NA
  • Free Text Field

3. What is the total estimated impact of the breach?

For example, 10,000 customers compromised.

  • NA
  • Free Text Field

4. Has the security incident resulted in a violation of any regulations? If so, list the regulation and, if possible, the specific standards that were violated.

For example, HIPAA< GDPR, CCPA, PCI DSS, etc.

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

5. Have you communicated the incident with any of your stakeholders?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

5 (a). If you answered yes, could you provide a copy of the response process report you provided your stakeholders?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

Learn how to write the executive summary of a cybersecurity report >

6. Has an independent audit been completed to determine the cause of the breach and the scope of its damage?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

Questions Evaluating the Risk of Repeated Incidents

1. What is your plan for mitigating future information security incidents like this?

Include details of how your response policy and remediation processes have been optimized to better address similar incidents.

  • Free Text Field
  • Ideally, also provide supporting documentation

Download this whitepaper to learn how to defend against data breaches >

2. Which cybersecurity framework do you currently have in place?

For example, the National Institute of Standards and Technology (NIST) Cyber Security Framework.

  • Free Text Field
  • Ideally, also provide supporting documentation

4. Do you have a Third-Party Risk Management (TPRM) program in place?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

Learn more about TPRM >

3. When was the last time you completed a self-risk assessment?

  • NA
  • Free text field for more information

For ideas about how to streamline your risk assessment workflow, watch this video.

Get a free trial of UpGuard >

4. How often are your security policies and data security controls tested by an independent auditor?

  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

5. Have you performed a root cause analysis for this incident?

  • Yes
  • No
  • NA
  • Free Text Field
  • Ideally, also provide supporting documentation

Streamlined post-breach questionnaire workflows with UpGuard

UpGuard’s questionnaire library includes a post-breach questionnaire alongside many other industry-standard security questionnaires. All these questionnaires are supported by management features commonly requested by risk management teams to streamline Vendor Risk Management, including complete customization and completion status tracking.

To address the frustration and time-consuming process of answering repeated questionnaires, UpGuard has launched an AI Autofill feature, allowing vendors to select responses from a repository of previously submitted questionnaires. By completely alleviating the need to maintain an up-to-date record of all questionnaire responses in a spreadsheet, with UpGuard’s AI Autofill feature, vendor questionnaires can be completed in hours instead of days (or weeks).

UpGuard's AI autofill feature suggesting a response based on referenced source data.
UpGuard's AI autofill feature suggesting a response based on referenced source data.

Watch this video for an overview of UpGuard's AI Autofill feature.

Related posts

Learn more about the latest issues in cybersecurity.
Third-Party Risk Management

Ongoing TPRM Success: Continuous Security Monitoring with AI

Is manual work weighing down your security team and limiting your ability to scale? Learn how UpGuard and its AI features can help.
Nicholas Sollitto
Nicholas Sollitto
November 27, 2025
Third-Party Risk Management

Report Writing Solved: Generating Actionable Assessment Reports

Is manual report writing slowing down your security team? Learn how UpGuard’s AI can help.
Nicholas Sollitto
Nicholas Sollitto
April 2, 2025
Third-Party Risk Management

Remediation Made Easy: Reducing Risks and Driving Vendor Action

Is your security team lost in the chaos of managing vendor remediation? Learn how UpGuard’s AI can help.
Nicholas Sollitto
Nicholas Sollitto
March 26, 2025
Third-Party Risk Management

Evidence Analysis: Unlocking Insights for Stronger Security Posture

Is sorting through mountains of vendor information weighing your team down? Learn how UpGuard's AI can help you solve this and other inefficiencies.
Nicholas Sollitto
Nicholas Sollitto
March 13, 2025
Third-Party Risk Management

Vendor Responsiveness Solved: Soothing Your Third-Party Aches

Is waiting on vendor responses slowing down your risk assessments? Learn how UpGuard's AI can help you solve this and other inefficiencies.
Nicholas Sollitto
Nicholas Sollitto
March 6, 2025
Third-Party Risk Management

CrowdStrike Outage: What Happened and How to Limit Future Risk

Learn how you should respond to the CrowdStrike incident and the likely long-term impact it will have on third-party risk management.
Nicholas Sollitto
Nicholas Sollitto
November 27, 2025
All posts