Let me save you the trouble...
Why bother asking them for a response - Here's the standard corporate PR blurb for these matters:
[InsertCompanyName] takes its customers' security seriously and takes all reasonable precautions to ensure the safety of customer data and internal audit has been initiated to establish the severity of any data breach. We cannot comment further until this investigation is completed / the press have lost interest.
On a different note, it occurs to me that any organization publically advertising for a CIO in charge of cyber security may well be inviting themselves to be hacked. - It's a bit like telling the guy at PCWorld you know nothing about computers and showing him a wallet full of £50 notes.