Incident disclosures indicate that there has been a security breach or data loss. Disclosures can be voluntary or required by law, depending on the nature of the incident and the jurisdiction(s) of the organization or contents of the data. In the United States, some states require an incident disclosure if any of the resident's personal information might have been involved.
They are asking to know if there have been any recent security breaches and to know how they were handled with regard to the public. Having an incident is an indication of how secure your system may be, depending on the nature of the incident. Incident disclosures can also be an indication of how mature a security program is based on how well the incident was handled.
While it is the hope that there have been no data breaches or losses, if there have been any, answer with the number and nature of breaches within the defined period. Be sure to address the fact that they were handled quickly and effectively. Do not include any data that has not been made public or has not been cleared for release to the business partner but the appropriate parties.
If you have not experienced any data breaches in the defined period, answer that there have been none since a specific date; which is the beginning of the specified period ending with the date that the questionnaire is being completed. This is a complete answer, but defines the period in case of a future breach, or one that happened before the defined period.