What broke down here is the threat assessment model. Was there a competent team of interdisciplinary experts who reviewed the threat and concluded it was reasonably credible? then no need for a CYA, since you are doing your job.
But if this was based on the consensus of a few local folks you know, that may or may not have a respectable background to advice you, then it's on you.
First of all, if they would have a semi decent IT Security expert as part of their threat assessment team, they wouldn't even have reported that "the IP address was from Germany" since they'd know it's largely irrelevant, being most likely a Tor exit node or a VPN end point, if it didn't match a well-known origin. Instead, they'd focus on the language, plot details and other things that can reveal if this is indeed credible or not. Then they'd probably correlate with similar chatter in other places (like NY), and on and on.
I'm not sure if every major city should have one of such teams on stand-by, but at least a "service" should exist for these kinds of things so someone like a School Superintendent or a Mall Manager can tap into.