Make it strict liability? ie. if you paid for a "consultant" and it just so happens that he paid off the ransomware operators without your knowledge, you'll still be liable
That's going to be nearly impossible to enforce, because the first thing that will probably happen is that companies will stop reporting ransomware attacks. And these "consultants" could be based anywhere, as well as further outsource their work to independent contractors, shell companies, etc. So getting hard evidence that's there's been a ransom payment will likely be a wild goose chase.