That's a good question. I'm not 100% sure on that. I do know that a lot of private companies are reticent to report a cyber-attack on their business, for obvious reasons. It may affect people's confidence in that business and the data that they hold. I don't know, to be candid, if there is a legal obligation for them to report that they paid a ransom. My initial thought is no, but I'm happy to see if I can find that answer for you.
On May 20th, 2020. See this statement in context.