Sunbury staff to draft cybersecurity policy after state law sets Jan. 1, 2026 enforcement date

Devin, finance director, told the Sunbury Finance Committee on Sept. 17 that House Bill 96 and Auditor of State Bulletin 2025-007 require the city to adopt and enforce a cybersecurity policy by Jan. 1, 2026.

The requirement matters because the bulletin lists required elements — including definitions for cybersecurity and ransomware incidents and the circumstances under which ransom payment is permitted — and the deadline gives the city a firm compliance date. "It basically requires that all entities of the state of Ohio and cities as we are a city, we are, obligated to do this. We have to enact a cybersecurity policy, and this policy has to be enacted and enforced as of 01/01/2026," Devin said.

Devin told the committee the Auditor's bulletin provides guidance but not a ready-to-use draft policy, and that she will seek examples from other cities and from the Ohio Municipal League (OML). "What this doesn't provide is a draft policy or an example that we can take and and modify. So I'll be looking for examples from other cities and through the OML, as through the coming months and put that policy together and bring it to finance committee and eventually council to get that approved and in place prior to the deadline," she said.

Committee members discussed the ransom-payment guidance included in the bulletin. One committee member said they had read advice that organizations should "never ever pay" ransom demands; Devin noted the bulletin defines when payment is allowed and that the legislative authority must vote to permit payment in those circumstances. "It's defined in there on this on the third page ... it talks about when it's allowed. But I think it does have to be voted on by the legislative authority," Devin said.

Devin also emphasized backups as a frontline defense: "If you got backup data and keep what you have..." She additionally notified the committee that budgeted funds for cybersecurity exist in the 2026 draft budget but that the city might need to purchase products or services to meet the policy's requirements.

Next steps the finance director outlined include researching model policies, drafting a city-specific policy, and bringing that draft to finance committee and then to council for approval before the Jan. 1, 2026 enforcement date. No formal committee action was taken Sept. 17; the item was presented for information and planning.

Sunbury officials and residents should expect a forthcoming draft policy, a possible request for 2026 budget allocations to implement technical controls, and a council vote if the city pursues any ransom-payment protocol that the bulletin allows.