Short : YES
A ransom ware attack would suggest there is some sort of vulnerability in the data controller’s control environment, so it would be up to the data controller to demonstrate that there is no such vulnerability. This is a defensive issue for the controller as the burden of proof is on the controller.
A breach means any failure to comply with the DPA and in addition to being able to demonstrate compliance with the 7th Principle relating to appropriate organisational and technical measures the Data controller must be able to demonstrate that the ransom attack has not impaired their ability to comply with the other principles of the DPA.
CISOs would need to show they have taken appropriate organisational and technical measures to address known and predictable vulnerabilities, so patching and any other such best practice activities should be able to be evidenced.