• Home
  • 9
  • Insights
  • 9
  • Ohio’s New Cybersecurity Law Is Already Being Audited, Is Your Organization Ready?

Ohio’s New Cybersecurity Law Is Already Being Audited, Is Your Organization Ready?

by | Mar 12, 2026

Blue Lighted Keyboard Keys

Key Takeaways

  • Ohio House Bill 96 requires all political subdivisions to implement a cybersecurity program, with cities and counties already under the January 1, 2026 deadline and all other entities required to comply by July 1, 2026. 
  • Auditors are actively reviewing cybersecurity programs now — documentation, training records, and incident reporting will all be examined. 
  • A cybersecurity program is not a one-time checklist. It’s an ongoing, organization-wide discipline that requires governance, training, monitoring, and continuous improvement. 
  • Effective September 30, 2025, cyber incidents must be reported to the Ohio Cyber Integration Center (OCIC) within 7 days of identification and to the Ohio Auditor of State within 30 days. 
  • Ransomware payments require formal legislative approval before they can be made — and the reasoning must be documented. 

If your local government entity does not yet have a documented cybersecurity program in place, now is the time to act. Ohio House Bill 96 (HB 96) took effect September 30, 2025, establishing incident reporting requirements immediately — with phased deadlines ahead for full cybersecurity program implementation. For entities already under review, auditors are beginning to assess compliance with the new requirements 

Rea recently hosted a webinar on navigating HB 96, featuring insights from Travis Strong, a principal with Rea Information Services and an IT risk management and cybersecurity specialist, alongside Tim Herold, an audit manager on Rea’s government team. Their combined perspective — one from the technical side, one from the audit side — shed important light on what Ohio’s political subdivisions need to understand right now. Watch the full webinar. 

Here’s what your organization needs to know. 

What HB 96 Actually Requires

At its core, HB 96 requires Ohio political subdivisions to do three things:  

  1. Implement a cybersecurity program 
  2. Obtain legislative approval before making ransomware payments 
  3. Report cyber incidents through the proper channels on a defined timeline For cities and counties, the deadline to have a program in place was January 1, 2026. For all other entity types — including townships, school districts, and special districts — the deadline is July 1, 2026. 

But here’s what’s important to understand: having a program “in place” is just the starting point. 

A Cybersecurity Program Is Not a Checklist

One of the most important points raised in the webinar — and one worth repeating — is that a cybersecurity program is not a document you create once and file away. It’s a living, breathing organization-wide framework that covers people, processes, and technology. It requires governance, accountability, ongoing training, regular risk assessments, and continuous improvement. 

Ohio aligns its expectations with the NIST Cybersecurity Framework and the CIS (Center for Internet Security) best practices. Your program should be grounded in one of these recognized frameworks, not guesswork. 

The organizations that get this right are the ones that treat cybersecurity as a strategic function, not an IT task. It touches every department. Finance, operations, HR, and leadership all have a role to play. 

The Threats Are Real — and They’re Targeting Public Entities

Public entities are high-value targets. They hold sensitive data, provide critical services, and often operate with limited budgets, legacy systems, and lean or even single-person IT teams. Attackers know that even a brief disruption can create enormous pressure to respond quickly or pay up. 

According to the 2025 Verizon Data Breach Investigations Report, 78% of all public sector breaches stem from system intrusion, miscellaneous errors, and basic web application attacks. Most incidents are a combination of technical weaknesses and human mistakes. 

The top threats to watch include business email compromise (BEC) (attackers impersonate trusted contacts to redirect payments or steal information), phishing and social engineeringransomwareinsider threats (intentional malicious actions or accidental human error), outdated legacy systems, (unsupported or unpatched) and third-party or supply chain vulnerabilities (vendors becoming an entry point for attackers). Cybercriminals are now using AI to craft more convincing messages, making it increasingly difficult to distinguish legitimate communications from malicious ones. 

The takeaway: this isn’t a future or hypothetical risk, it’s an active one. 

When an Incident Happens, The Clock Starts Immediately

HB 96 establishes clear incident reporting requirements. Once a cyber incident is identified, you have 7 days to report to the Ohio Cyber Integration Center (OCIC) and 30 days to report to the Ohio Auditor of State. 

During the webinar, Travis walked through a real-world case study involving a business email compromise. An employee received an email from what appeared to be a trusted vendor, clicked a malicious link, and unknowingly surrendered their password. Fortunately, multi-factor authentication (MFA) was in place and prevented the attacker from gaining access. The organization’s monitoring and alerting tools caught the activity quickly. 

The question that followed — do we report this? — is one many organizations will face. The answer in this case was yes. A password is confidential information. Its compromise qualifies as a reportable security incident, even when the attacker was ultimately blocked. 

The lesson: know your reporting obligations before an incident occurs. Have your incident response plan documented, including who makes the call to report, who needs to be notified internally, and how you’ll communicate with the OCIC and the Auditor of State. 

What Auditors Will Be Looking For

From the audit perspective, Tim Herald was direct: this is being reviewed now, not later. 

For cities and counties, cybersecurity compliance will be part of 2025 audit cycles. Auditors will be working from the Ohio Compliance Supplement (Chapter 2, Section 21) and will be looking at several things: 

  • Documentation of your cybersecurity program, confirming it meets the requirements outlined in the supplement 
  • Alignment with generally accepted cybersecurity standards (NIST or CIS frameworks) 
  • Proportionality — whether the program is appropriately scaled to the size and complexity of your organization 
  • Training documentation — evidence that required training is being provided and completed 
  • Incident reporting — whether any cyber incidents or ransomware demands were handled in accordance with HB 96 requirements 

One important note: your cybersecurity documentation is exempt from public records requests. You are not required to disclose it in response to a public records inquiry. 

Practical Steps to Take Now

Whether you’re refining an existing program or building one from the ground up, here’s where to focus your energy: 

Start with your incident response plan. If you don’t have one, create it. If you have one, review and update it. Make sure it defines who reports incidents, to whom, on what timeline, and who within your organization needs to be informed. 

Train your people. The human element is consistently one of the greatest vulnerabilities. Security awareness training isn’t optional — it’s a core layer of your defense. Make sure employees know what to look for and what to do when something seems off. 

Conduct tabletop exercises. Walk through a simulated ransomware or business email compromise scenario with your team. Talk through how each person on your team should respond. Identify gaps before they become real problems. 

Review the State’s resources. The Ohio Cyber Integration Center, the Ohio Auditor of State’s reporting guidance, and the Ohio Cyber Reserve’s readymade security program are all publicly available and well worth reviewing now. 

Consider outside support. When internal resources or expertise are limited, third-party advisors can help assess your program, validate your controls, and guide you through compliance requirements. You don’t have to navigate this alone. Do you know if we can create the program for them or do we only assess the program? 

The Bottom Line

HB 96 isn’t just a compliance requirement — it’s a framework for protecting the people and services your organization exists to serve. Auditors are looking. Attackers are, too. A proactive, well-documented and operational cybersecurity program is the best defense on both fronts. 

If you have questions about where your organization stands or what steps to take next, Rea’s advisors are here to help. 

 

About the Author

Anita Martin, CPA, Principal, leads Rea’s Government Accounting practice and has been helping Ohio’s public entities navigate complex financial and compliance challenges since 2006. A CPA with memberships in AICPA, OSCPA, and the Ohio GFOA education committee, Anita specializes in government accounting, financial reporting, charter school accounting, and people development. She has spent her career living out the principle she holds closest: never stop learning. Anita is based in Rea’s Medina office.

Frequently Asked Questions

Do we have to report attempted attacks, or only successful ones?
Not every suspicious email qualifies as a reportable incident — that's just noise in the system. But if an actual compromise occurs, such as a stolen password or unauthorized access, that is reportable. The Ohio Cyber Integration Center (https://homelandsecurity.ohio.gov/ohio-cyber-integration-center/reporting-guidance) has published FAQ guidance on what is and isn't reportable. Review it now, before you need it. 
When will cybersecurity be reviewed in our audit?
For cities and counties, expect it to be part of your 2025 audit cycle. The program should have been in place by January 1, 2026, and incident reporting requirements have been in effect since September 30, 2025. Other entity types with a July 1, 2026 deadline should plan to have programs in place and expect audit review at their next cycle. 
What if not every employee completes our training?
Auditors will generally look at whether training is being provided and tracked, and review a sample of employees for completion. The more important thing is that your program documents training requirements clearly and that you have a system in place to track completion. If an employee is on leave or otherwise missed a session, document it. 
Does our cybersecurity program have to be disclosed if someone submits a public records request? 
No. Cybersecurity program documentation is explicitly exempt from public records requests under HB 96. You may deny that request. 
We already have a cybersecurity policy. Are we done?
Not quite. Having a policy is a strong starting point, but a policy alone doesn't equal a program. To meet HB 96's requirements, your policy needs to be actively maintained, updated, and tested on a regular basis. As your systems evolve and threats change, so should your controls and documentation. Think annual reviews, tabletop exercises, and periodic updates to reflect new risks or operational changes.

Latest Insights

Disclaimer: The information contained within this article is provided for informational purposes only and is not intended to be a substitute for obtaining accounting, tax, legal, investment, or financial advice from a qualified professional. Consulting a qualified professional is crucial before making any decisions based on this information, as individual circumstances vary. While we use reasonable efforts to furnish accurate and up-to-date information, we do not warrant that any information contained in this article is accurate, complete, reliable, current, or error-free. We assume no liability or responsibility for any actions taken or not taken based on the content of this article. In no way does this article create a client relationship.

Categories

Local Government