How Ohio’s New Cybersecurity Law Relates to Financial Services

Questions to Ask IT Service Provider

By: PCR Business Systems

Ohio’s new cybersecurity requirement—House Bill 96 (HB 96)—is making headlines for local governments and schools. Signed in mid-2025, it takes effect on September 30, 2025. Under it, municipalities, school districts, and water authorities must:

  • Create a formal cybersecurity program aligned with best practices (think NIST or CIS).
  • Require all staff to participate in cybersecurity training.
  • Report cyber incidents within 7 days to the Department of Public Safety (specifically, the Ohio Cyber Integration Center) and within 30 days to the Auditor of State. 
  • Get legislative approval before paying any ransomware demand and publicly explain why it’s in the public’s best interest.

You might be thinking: “This law doesn’t apply to me—I’m not a city hall or school board.” But you and your financial institution are part of the same ecosystem—and you share the same expectations for readiness.

Why Financial Firms Should Pay Attention

  1. Examiners are watching the whole field. If municipalities across Ohio are being held accountable for incident response, documentation, and ransomware protocols, examiners will expect similar—or higher—standards from banks, credit unions, and RIAs.
  2. Everyone’s being compared. If schools and cities are expected to show tested backups, incident logs, and evidence of training, why shouldn’t your institution?
  3. It sets the rhythm. When the public sector raises the bar on breach response and transparency, that tone echoes across the private sector—especially one entrusted with sensitive financial data.

The Real Challenge: Evidence Over Promises

Cybersecurity in your world isn’t about checking boxes—it’s about being ready to show proof. Here’s what matters most:

  • Backups that aren’t just promised, but tested. Knowing you can restore a system in under two hours transforms panic into control.
  • Logs you can actually use. When an auditor asks for a SIEM log or a patch report, you’ll have it ready—not scrambling.
  • Vendor packets that are up-to-date. SOC 2, pen-test results, insurance coverage—indexed, labeled, and ready to go.
  • Clear, board-level updates. Not technical jargon. Real-world readiness: “Last quarter, phishing failure fell from 22% to 7%.”

If you’ve ever stopped at “we’ll scramble before they get here,” you’re not alone. But that kind of uncertainty doesn’t hold up.

Practical Cyber Moves That Matter

Instead of spreading your team thin, concentrate your energy on these high-leverage steps:

  • Make backup tests routine. Quarterly rehearsals aren’t overkill—they’re peace-of-mind.
  • Lock down email and identities. MFA, impersonation protection, phishing awareness, and access reviews make a world of difference.
  • Lean in with co-management. An Akron-based cybersecurity partner doesn’t replace your staff. They fill in where three people can’t do 10 tasks.
  • Keep vendor due diligence live. No packets in limbo. No guessing whether that loan origination vendor passed their last pen test.
  • Make your board feel confident—not confused. Simple metrics like “patch compliance,” “recovery time,” and “phishing click rates” show control, not chaos.

How to Stay Prepared

Ohio’s HB 96 is a powerful reminder: cyber expectations are rising everywhere. But you don’t have to feel cornered by it.

With a few tested practices, clean evidence, and thoughtful partnerships, you can move from reaction to readiness—and restore trust in every connection you serve.

Here are 5 Things to Do Now for Exam-Ready Cybersecurity:

  1. Test your backups → Run a restore test and document the results.
  2. Tighten email defenses → Enforce MFA, enable DMARC/SPF/DKIM, and check impersonation protection.
  3. Review access rights → Remove stale accounts, confirm privileged access controls, and log the review.
  4. Update vendor packets → Make sure SOC 2 reports, pen-test summaries, and insurance certificates are current.
  5. Prep your board report → Highlight phishing test results, patch compliance, and disaster recovery outcomes.

Schedule a meeting with PCR President, Pat Carroll to learn more about our nonprofit IT solutions.