Locals finally got some answers about how $1.2 million was taken from Sebastopol’s reserves account held by the County of Sonoma in late April and what the city’s going to do about it.
Sebastopol’s not getting that money back, but insurance is kicking in to restore the loss, according to City Manager-Attorney Larry McLaughlin, who spoke about the loss during the council’s Dec. 21 and Jan. 4 meetings. The City of Sebastopol has already filed a claim against the County of Sonoma, finding the county responsible for reimbursement, but the two struck a deal to try covering the loss between their insurance policies first.
McLaughlin stated that $375,000 has been restored through the county’s crime policy insurance carrier covering up to its limit. When the county gets its insurance proceeds, those monies will be handed to the city as agreed, he said.
The rest of the four claims are still pending with their insurance carriers. As for legal deadlines, the city manager said he thought it could take a year to hear back from them all, in addition to the roughly seven months that have already passed.
How did this happen?
At the Jan. 4 city council meeting, McLaughlin said his understanding is that the breach was made possible when a city employee opened a link that “shouldn’t have been opened,” which allowed the thief access to email addresses.
Posing as Sebastopol’s administrative services director, the perpetrator emailed an employee from the county’s auditor-controller-treasurer-tax collector’s office to request the funds, he said.
“That particular request, in our opinion — city attorney and city staff’s opinion — should have alerted staff at the county treasurer’s office that this was potentially a fraudulent request transfer,” McLaughlin said during the Dec. 21 city council meeting.
The treasurer’s office has its own internal protocols to prevent accidents when cities come through to access large amounts of money on deposit, he said, which happens over a routine sequence of transactions.
Besides misspelling names of people involved, the request was dated nearly a year away from the date it was actually submitted, McLaughlin said. The county transferred the money in about a day, “directed to be deposited to an account in Georgia, and to an account whose name or description,” he said, “made no sense in the context of the normal uses of city monies.”
The county broke its own rules that required a greater passage of time before responding to a request as hefty as $1.2 million, furthermore.
“These funds seem to be irretrievably lost to the city, and that probably occurred shortly after the transfers were made,” McLaughlin said, once transactions between accounts bounced the monies out of orbit for the city and the Federal Bureau of Investigation.
Back to insurance, he said, “Unfortunately, for reasons presently not known to me, the county’s coverage is, in my opinion, grossly inadequate to cover anywhere near the amount of funds they have on file, not even enough coverage to cover our own funds which were on file there.”
McLaughlin said Sebastopol’s two policies are more than enough to cover the entire loss, while the county’s remaining cyber policy holds $500,000. Sebastopol’s crime coverage caps out at $2 million and its cyber coverage limit is at least $75,000, he estimated on Dec. 21, 2021. He said there may be more coverage available, but “the type of coverage is still being debated with our outside counsel.”
None of the three insurance carriers left have made a decision regarding the policies filed, although McLaughlin reported that the city received support from its insurance pool, the California Intergovernmental Risk Authority (CIRA).
Community member Kyle Falbo pressed for hidden costs of the fraud at both meetings. “While it may well be the case that we’ll be receiving back the stolen money, this will still cost our city and our county over time in increased insurance costs,” he said at the Dec. 21 city council meeting.
Falbo said he also wanted to know what the city’s IT protocols were and whether they included dual-factor authentications and citywide training and testing on phishing.
According to McLaughlin, there haven’t been any premium increases stemming from “the actions for which we filed claims.” He added, “However, I’d be the first one to admit that I would not be surprised if there’s increases in premiums in the future.”
He told the public and the council on Jan. 4 that premiums have been rising across Sebastopol’s policies outside of its insurance pool, partly because of lawsuits filed over various issues like property loss from wildfires and flooding.
“We have across the board sustained almost perpetual premium increases. It’s difficult to ascertain really the cause of the increases in many cases, but to my knowledge we have not received any increases to date as a result of the fraudulent cyber fraud wire transfer,” he said.
McLaughlin stated no lawsuits have come up regarding the stolen funds, either, although it’s possible that the city’s pending claim against the County of Sonoma could become one at some point.
He maintained that the cyber fraud and SPD’s computer system breach were unrelated incidents, as the city held since first announcing the two breaches in July of 2021.
Most of SPD’s computers were restored by the end of that month, according to Sebastopol Police Chief Kevin Kilgore. The city manager said the city’s protocols did the job then by preventing further access and loss, “and damage was minimal.”
For the future, McLaughlin suggested the council take up a report from Administrative Services Director Ana Kwong on changes made to the city’s IT protocols, some of which he said resemble recommendations from the public.
