62%
of organizations experienced a significant security incident caused by a third-party vendor in 2024, making vendor breach reporting a routine operational challenge (Ponemon)
72 hours
GDPR notification deadline from the time an organization becomes aware of a personal data breach -- regardless of whether the breach occurred at a vendor
6 weeks
average time to complete a vendor breach investigation when the reporting organization lacks direct forensic access to the vendor's systems
3 sections
the core structure of a credible vendor breach incident report: what we know, what we do not know and why, and what we are doing about it

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

When your vendor is breached, you face a reporting problem that most incident response playbooks do not address: you are responsible for the incident report, but you do not have access to the forensic evidence. The vendor controls the logs, the endpoint telemetry, the network captures, and the investigation timeline. You have whatever data you can pull from your own systems, the vendor's breach notification, and whatever they are willing to share under the pressure of their own legal counsel.

This is a fundamentally different reporting task from writing a report about your own systems. In your own environment, incomplete data means your investigation is incomplete. In a vendor breach, incomplete data may be the final state -- you may never have direct access to the forensic artifacts. The challenge is writing a credible, compliant incident report under those conditions.

This guide covers what you can actually determine without direct forensic access, your regulatory obligations and timeline, the report structure that handles partial information credibly, and how to run the vendor communication track in parallel with your own investigation.

What You Can Determine Without Direct Access to the Vendor's Systems

Start by separating two categories of investigation questions: questions about the vendor's breach (what happened on their systems, how they were compromised, what data was accessed) and questions about your organization's exposure (what data of yours was on their systems, whether that data has been misused, and what your regulatory obligations are).

You will have limited ability to answer the first category. You may have substantial ability to answer the second, and the second category is what your incident report primarily needs to address.

From your own systems and records, you can typically determine: which data categories you transmitted or stored in the vendor's environment (based on your own data classification and data flow documentation), the volume of records or data elements involved (based on your own transfer logs or API call records), the data retention period at the vendor (based on your contract and data processing agreement), whether you have received any signals of your data being misused (credential stuffing attempts using account patterns specific to that vendor's data, dark web mentions of your organization's data in combination with the vendor's breach announcement), and the regulatory classification of the affected data (PII, PHI, payment data, or other regulated categories).

This is the foundation of the incident report: a clear account of what you can verify from your own records, what you are relying on the vendor to confirm, and what remains unknown pending their investigation.

Your Contractual and Regulatory Obligations Under a Vendor Breach

The first hour after receiving a vendor breach notification should be spent determining your notification obligations, because the deadlines run from when you become "aware" of the breach -- and "awareness" in a regulatory context typically means when you received the vendor's notification, not when their internal investigation concludes.

GDPR requires notification to your supervisory authority within 72 hours of becoming aware of a personal data breach, with a full description of likely consequences and measures taken. If EU residents' data was stored with the vendor, this 72-hour clock started when you received their notification. If you cannot complete the full notification within 72 hours, an initial notification with what is known and a commitment to update is compliant -- silence is not.

HIPAA requires breach notification to HHS and affected individuals within 60 days of the discovery of the breach for breaches affecting 500 or more individuals. Your Business Associate Agreement with the vendor determines whether the vendor or you are responsible for the notification, but you should verify rather than assume.

SEC rules (for public companies) require disclosure of material cybersecurity incidents within 4 business days of determining materiality. A vendor breach affecting significant customer data or operational continuity may meet the materiality threshold.

Your vendor contract likely includes breach notification obligations on the vendor's side: timeline for notifying you, minimum information to be provided, and cooperation requirements for your own investigation. Pull this language before your first meeting with the vendor -- it determines what you are entitled to demand from them.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Structuring the Report Around What You Know, What You Do Not Know, and What You Are Doing

The structure that makes vendor breach reports credible under conditions of partial information has three sections:

Section 1: What We Know covers facts you can state with confidence from your own records and from the vendor's confirmed statements. This section uses precise language: "Based on our data transfer records, we transmitted customer email addresses, account IDs, and subscription status information to [Vendor] between [dates]. The vendor has confirmed that their environment was accessed by an unauthorized party between [dates]." No hedging on facts you have confirmed. No extrapolation.

Section 2: What We Do Not Know and Why is the section most incident reports omit, and its absence is what makes reports look either overconfident or evasive. This section explains what information is unknown, why it is unknown, and when you expect to know it. "We cannot confirm at this time whether specific customer records were exfiltrated versus the broader database being accessed. This determination depends on the vendor's forensic investigation, which they have indicated will complete within [timeframe]. We will update this report when that information is available." Regulators and executives understand the limits of a third-party investigation. Pretending those limits do not exist is what erodes credibility.

Section 3: What We Are Doing covers your own remediation and mitigation actions: enhanced monitoring for credential misuse, customer notification if applicable, additional contractual demands for the vendor, and the review of your third-party risk management process for this vendor category. This section demonstrates active response regardless of the forensic limitations.

The Vendor Communication Playbook During the Incident

The vendor has competing interests during a breach incident: their own regulatory obligations, their legal liability exposure, their reputation, and their business relationship with you. Their legal team will be managing every statement they make. Treat all vendor communications accordingly -- verbal statements are not evidence, written statements are.

Immediately upon receiving the breach notification, request in writing: the specific data categories confirmed to be in scope, the date range of the unauthorized access, the forensic investigation timeline and expected completion date, their commitment to provide you with a copy of the final forensic report, the contact information for their incident response team lead and their legal point of contact for your questions, and confirmation of any law enforcement involvement.

Get these requests in writing via email or a formal incident communication channel. "We discussed this on the call" is not a record you can include in a regulatory filing.

Throughout the investigation, maintain a communication log: every call or message with the vendor, the date and time, who participated, and what was stated. If the vendor provides updated information that contradicts an earlier statement, document both statements and the dates. This log becomes part of your post-incident documentation and may be relevant if regulatory questions arise about whether you acted in good faith based on the information available to you.

If the vendor stops cooperating or significantly delays the investigation beyond their stated timeline, your contract's breach notification provisions may give you grounds to audit their investigation or bring in your own forensic team -- check whether your contract includes this right before the situation arises.

Handling the Customer Notification Decision

The most consequential decision in a vendor breach response is usually whether and when to notify affected customers. This decision is legally constrained by your notification obligations, but within those constraints it is also a business and ethical decision.

The legal floor is clear: if the breach meets the regulatory notification threshold for the applicable regulation (GDPR, HIPAA, state breach notification laws, SEC), you notify on the regulatory timeline regardless of business impact concerns.

The more difficult decisions arise when the breach falls below a regulatory threshold but still involves your customers' data. A breach of customer email addresses without payment data or credentials may not require GDPR notification to affected individuals if the risk to those individuals is low. But your customers may feel they should know. The decision should account for: the likelihood that affected customers will discover the breach from other sources (news coverage of the vendor's breach, dark web monitoring services), the trust implications of customers learning about the breach from a third party rather than from you, and the contractual obligations in your customer agreements regarding data security incidents.

Notification templates for vendor breaches should acknowledge three facts explicitly: the source of the breach was a third party (protecting your credibility), the data that was involved (being specific about what was and was not affected builds more trust than vague language), and what you are doing to protect those customers going forward. Vague language in customer notifications -- "we became aware of a security incident" without acknowledging the vendor -- is increasingly viewed as evasive and can compound the trust damage.

What Goes Into the Post-Incident Review

The post-incident review for a vendor breach covers different ground than a review of an internal incident. The forensic reconstruction of the vendor's breach is the vendor's report to produce, not yours. Your post-incident review focuses on your own third-party risk management process and what it failed to catch or prevent.

Specific questions for the post-incident review:

Was this vendor in scope for your third-party risk assessments? If not, why not? What data category or access level should have triggered inclusion?

What was the most recent assessment date and what did it find? If the vendor had a security assessment within 12 months of the breach, did it address the control area where the breach occurred? If it did and the control was assessed as adequate, that is one outcome. If it did not cover that area, that is a gap in your assessment methodology.

What contractual security requirements did you have for this vendor? Were they specific enough to address the control area where the breach occurred? Were they enforceable through audit rights?

What data minimization opportunities exist? Did the vendor have more of your data than they needed? Could the volume or sensitivity of data shared with this vendor be reduced?

What monitoring did you have on data leaving your environment to this vendor? Data loss prevention, API call logging, and egress monitoring determine what you can reconstruct about your exposure without the vendor's cooperation.

These findings from the post-incident review are what drive changes to your third-party risk management program -- and they are also what you document as the "corrective actions taken" in the final incident report.

The bottom line

Writing a vendor breach incident report under conditions of partial forensic information requires a different structure than reporting your own incidents. Build the report around three honest sections: what you can confirm from your own records, what you cannot confirm and why, and what you are actively doing. Determine your regulatory notification obligations in the first hour -- the 72-hour GDPR clock does not wait for the vendor's forensic investigation to complete. Get all vendor communications in writing. Document your communication log. Make the customer notification decision against both regulatory requirements and the trust implications of your customers learning the news from other sources. And use the post-incident review to audit your third-party risk management process rather than simply documenting the vendor's failure. The quality of your response is what is within your control.

Frequently asked questions

What are my reporting obligations when a vendor is breached and my data is involved?

Your regulatory obligations run from when you become aware of the breach, not when the vendor's investigation completes. GDPR requires notification to your supervisory authority within 72 hours of awareness. HIPAA requires notification within 60 days of breach discovery. SEC rules require disclosure of material cybersecurity incidents within 4 business days of determining materiality. State breach notification laws vary but most have 30 to 60 day notification windows. Your Business Associate Agreement (for HIPAA) or Data Processing Agreement (for GDPR) defines whether the vendor or you carry the primary notification obligation -- verify this before assuming.

How do I write an incident report when I have no access to the vendor's forensic data?

Structure the report in three sections: what you can confirm from your own records and the vendor's written statements, what you cannot determine without access to the vendor's forensic investigation and when you expect that information, and what you are actively doing in response to the incident. The second section is the one most reports omit. Regulators and executives understand that third-party investigations have limits -- pretending you have more information than you do is what damages credibility. A precise statement of what is unknown and why is more credible than vague language that obscures the limits of your visibility.

What should I request from the vendor after receiving a breach notification?

Request in writing: the specific data categories confirmed to be in scope, the date range of the unauthorized access, the forensic investigation timeline and expected completion, a commitment to provide a copy of the final forensic report, incident response and legal points of contact, and confirmation of any law enforcement involvement. Get all requests and responses in writing via email -- verbal statements cannot be included in regulatory filings. Maintain a communication log of every interaction with the vendor: date, time, participants, and content.

Do I have to notify my customers about a vendor breach?

You must notify affected customers when the breach meets regulatory notification thresholds for the applicable regulation -- GDPR requires notification to affected individuals when the breach is likely to result in high risk to their rights and freedoms, HIPAA requires individual notification for covered data, and most state breach notification laws require individual notification when defined categories of personal information are involved. Below those thresholds, the decision involves business and trust considerations: customers are increasingly likely to learn about vendor breaches through news coverage or dark web monitoring, and learning it from a third party rather than directly from you compounds the trust damage.

What if the vendor stops cooperating or delays the investigation significantly?

Check your contract's breach notification provisions before this situation arises. Well-drafted vendor agreements include explicit cooperation requirements, investigation timelines, audit rights, and the right to bring in your own forensic team if the vendor fails to complete their investigation within a defined period. If these provisions exist, invoke them in writing when the vendor misses their stated timeline. If they do not exist, this is a gap for your post-incident review and future vendor contract requirements. Document every missed commitment from the vendor in your communication log -- this documentation matters if regulatory questions arise about why your investigation timeline extended.

What goes into a vendor breach post-incident review?

A vendor breach post-incident review focuses on your third-party risk management process rather than the vendor's forensic reconstruction. Key questions: Was this vendor in scope for your third-party risk assessments, and if not, why not? What did the most recent assessment find and did it cover the control area where the breach occurred? What contractual security requirements did you have and were they enforceable? Did the vendor have more of your data than they needed? What monitoring did you have on data leaving your environment to this vendor? The answers drive changes to your TPRM program and become the corrective actions documented in the final incident report.

How is a vendor breach incident report different from a standard incident report?

A standard incident report covers an incident in your own environment where you control the forensic evidence, investigation timeline, and containment actions. A vendor breach incident report covers an incident where the forensic evidence, investigation, and containment are primarily controlled by the vendor. The key structural difference is the explicit treatment of information limits: a vendor breach report must clearly document what you cannot confirm and why, and when you expect that information. It also requires a dual track: your own investigation from your own records and the vendor communication track running in parallel. The regulatory obligations are the same, but the information available to fulfill them is substantially more constrained.

Sources & references

  1. Ponemon Institute: Third-Party Risk Management Study 2024
  2. GDPR Article 33: Notification of a Personal Data Breach
  3. HHS: HIPAA Breach Notification Rule
  4. NIST SP 800-61: Computer Security Incident Handling Guide
  5. IBM Cost of a Data Breach Report 2024

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.