The Committee of the Whole reviewed a draft city cybersecurity policy staff prepared to comply with the Ohio Auditor of State’s bulletin implementing Ohio Revised Code 9.64 (House Bill 96). The statute requires political subdivisions to adopt cybersecurity standards; the code’s requirements become effective Sept. 30, 2025, and municipalities must have policies in place by Jan. 1, 2026.

City staff and the mayor outlined key components of the draft policy: firewall and antivirus standards, multi-factor authentication, staff training and phishing awareness, regular backups, incident-notification protocols and recovery procedures. The IT director and the city’s contracted IT vendor (GoToIT) vetted the draft, the mayor said.

Council members discussed practical implications, including whether council should access city email only from city-issued devices and whether the IT department should recommend protections for councilmembers’ home computers. Members asked IT to clarify frequency of policy updates and recommended multi-factor authentication for remote access.

The mayor and staff emphasized training and testing will be part of the plan, and they urged staff and residents to be cautious about suspicious emails. The committee did not adopt the policy Monday; staff said the item will return to council for formal adoption ahead of the statutory deadline.