[hrbrmstr]

Properly constructed information security questionnaires enable a business partner to conduct a high-level, non-intrusive assessment of your organization. You have a right to be concerned about the sensitivity of the data, but if you distrust your business partner that much, then don't do business with them. Your org is not a special snowflake and this is a very common practice by organizations of all shapes and sizes with organizations of all shapes and sizes. They are not the be-all/end-all of information sources (orgs regularly fib on these forms) and you do have a similar right to ask the inquisitors how they will protect your form data (that will also partoy show them you at least give lip-service to data security). It's also far more likely that your organization is going to get pwnd via phishing that is completely unrelated to the potential loss of confidentiality of this document. I say that as someone who has formally studied cybersecurity breaches for years.

Also, as cyberinsurance increasingly becomes "a thing", you're going to see this questionnaire situation increase in frequency. Your org should consider creating a pre-composed (and regularly updated) SSAE 16 (https://en.wikipedia.org/wiki/SSAE_16) to avoid having to fill out unique assessment questionnaires for every request that comes in. It'll save you time and — unless you "go N/A crazy" on the SSAE 16 — should be accepted by any firm worth doing business with.