MOUNT VERNON — A state mandate passed in June requires political subdivisions to adopt a cybersecurity policy to safeguard their information, technology, and IT resources.
The mandate is part of the state legislature’s House Bill 96 and is codified as Ohio Revised Code 9.64.
Subdivisions include counties, townships, municipal corporations, school districts, libraries, and other bodies responsible for government activities.
In 2023, the city contracted with the county for IT services. On Monday, Kyle Webb, the county’s chief information officer, reviewed the city’s proposed cybersecurity policy with city council members.
“There are some things that [the state] requires, some stipulations that they flat out say you have to have. Other [areas] it just has to try to meet and conform to national standards in cybersecurity,” Webb told the council.
“This is a nice framework for a policy. It’s a good start. You can always get more specific with things, but this [policy] definitely meets the recommendations of the state.”
As part of the policy, the city must identify its critical functions, cybersecurity risks, and the impacts of a breach. It must also specify methods to detect potential threats, establish communication and control chains, and repair procedures in the event of a breach.
Ransomware and payment provisions are critical
Webb said the state’s primary issues are ransomware and payments.
The bill requires the city to report a ransomware attack “as soon as possible but not later than seven days” to the Ohio Department of Public Safety.
It must also report the incident to the state auditor within 30 days.
“The other part that they’re big on is if you’re going to pay a ransom, it has to come to legislation. You cannot make that payment without it being legislatively passed in front of a public body,” Webb said.
According to Webb, most of the policies already exist. ORC 9.6 now requires subdivisions to formalize those policies.
However, he noted the state does not have a mechanism to monitor whether subdivisions follow their policies.
Councilman James Mahan acknowledged the proposed policy is not as specific as it could be.
However, he noted the city could also write a policy that is so specific that it is difficult to follow, and the city would be liable for not adhering to it.
“So, we’re looking for that balance … trying to [find] the balance between being reasonable and meeting requirements, and yet not being so specific writing a policy that we can’t even follow ourselves,” he said.
Webb agreed the city did not want to tie its hands to the point where it had to return to the council to make changes.
“Things like the incident response plan, those are the things that you can be very detailed about. This [policy] just references it,” he said.
‘We’ve got some serious gaps’
A cyberattack hit the city in December 2022, where the intruder installed LockBit ransomware.
The breach affected several city departments, including the Mount Vernon Municipal Court, police department, auditor’s office, and public works.
Mount Vernon resident Joshua Morrison believes the city’s response was delayed.
“In something like that, every second matters,” he said during the public participation portion of council’s legislative session.
“After reviewing the ordinance and the city’s handling of the 2022 cyberattack, we’ve got some serious gaps,” Morrison said.
Morrison feels the proposed cybersecurity policy is vague, weak on enforcement, secretive, and slow to act.
“Risk assessments, patching, and incident response lack measurable deadlines and time frames,” he said.
“There are no consequences if someone fails to comply with the ordinance, with your policy.”
Documents related to the cybersecurity program or a ransomware incident are not public records.
Exempt records include information about software, hardware, and services being considered for procurement, have been procured, or are being used by a political subdivision, including vendor name, product name, project name, or project description.
However, Morrison said secrecy worsens attacks. He also said the reporting provisions of within seven days and 30 days are way too long.
He encouraged the city to strengthen the ordinance by creating clear incident protocols, notifying state and federal agencies within 24 hours, and imposing consequences on employees or vendors who fail to meet multi-factor authentication.
Morrison also said independent oversight and a public communication plan are essential.
Timeline for implementation
ORC 9.64 takes effect Sept. 30.
According to a bulletin issued by Ohio Auditor of State Keith Farber, cities and counties must implement the cybersecurity policy by Jan. 1, 2026.
All other entities have until July 1, 2026, to implement the policy.
Council members gave the policy its second reading on Monday night.