School districts throughout Ohio need to meet new cybersecurity requirements for the upcoming school year that cover responses to cyber incidents and ransom demands from attackers.
Those rules – mandated by the state’s fiscal year 2026 budget – require all local governments and school districts by Sept. 30 to have cybersecurity policies in place, long with mechanisms to approve any ransom payments to hackers.
Those policies include adopting a cybersecurity program that “safeguards the district’s data, information technology and information technology resources to ensure availability, confidentiality and integrity,” according to officials from the Ohio School Boards Association.
Security programs must align with what officials called “generally accepted best practices for cybersecurity” such as those provided by the National Institute of Standards and Technology.
Programs also should include annual cybersecurity training for employees, a cyber incident response plan, and practices to assess and remediate cyber risks, according to the state.
“The Auditor of State will begin checking school districts for compliance with the requirement to adopt a cybersecurity program starting July 1, 2026,” said officials who added that additional guidance on how to build compliant programs would be provided later this month during a webinar hosted by CyberOhio, the state’s cybersecurity initiative.
The requirements come a year after the state suffered a cyberattack that exposed sensitive personal information of half a million residents, including their Social Security numbers, and which led to some web services being temporarily shut down.
In addition to putting cybersecurity programs in place, school districts will be required to obtain school board approval before paying any ransom demand unless the district’s board of education “formally approves the payment or compliance in a resolution that specifically states why it is in the best interest of the school district.”
Cyber incidents must be reported to the Ohio Cyber Integration Center within seven days after discovering a breach, with reports to the Auditor of State no later than 30 days after identifying the incident.