Generally your finance department needs approve purchases beyond a certain dollar amount. This is pretty standard stuff.

If they got it approved as such don't you think the CEO would have been informed that there was line item from Security for ransom?

The article states the CEO didn't find out about the hack until a month after.