This is a post about the engagements Hexmortem turns down. Subrogation forensics for cyber insurers is a defensible engagement when the artifacts, the causation theory, and the recovery economics align. When any of the three is missing, the work produces a deliverable that costs more than it returns and occasionally damages the underlying claim posture.
The thresholds below are how the lab evaluates whether a subrogation engagement should proceed, and they are written in the form a carrier or panel counsel can apply before the call.
Threshold One: The Recovery Target Is Below the Work Product Cost
Subrogation forensics is a structured engagement. The work product must meet the causation and breach-of-duty standards subrogation counsel needs to prove — not the operational standards of incident response — and that means artifact-by-artifact reconstruction tied to the third party’s specific failure.
If the realistic recovery against the MSP, software vendor, or processor is in the low six figures, and the forensic work to establish causation at a defensible standard runs a meaningful fraction of that, the math does not work. A carrier is better served preserving the artifacts and pursuing recovery on the strength of the original report and contractual provisions, even if the recovery is smaller.
Hexmortem will say so before scoping the engagement.
Threshold Two: The Causation Chain Has a Structural Gap
Subrogation requires showing that the third party’s specific failure caused the loss. “The MSP had weak controls and a breach occurred” is not causation. “The MSP failed to apply patch X within their contracted SLA, the unpatched vulnerability was the initial access vector reconstructed from artifact set Y, and that access vector produced the loss measured at Z” is causation.
If the artifacts that remain cannot connect the third party’s specific act or omission to the initial access, the lateral movement, or the egress, the causation chain has a structural gap. Forensic work cannot manufacture artifacts that do not exist. It can only reconstruct what the surviving record supports.
The honest disclosure at scoping is whether the available artifacts can carry the causation theory. Sometimes they cannot, and the engagement should not proceed on the theory that further work will close the gap.
Threshold Three: The Original IR Report Already Establishes What’s Needed
Not every subrogation matter requires a separate forensic engagement. If the original IR vendor’s report — even one written for operational rather than evidentiary purposes — already documents the third party’s failure with sufficient artifact attribution, supplementing it with a full subrogation reconstruction may be redundant.
The useful pre-engagement question is: what does the original report establish, what does subrogation counsel need that it does not establish, and is the gap large enough to justify a separate work product? If the answer is that the gap is narrow and could be closed by a targeted Independent Second-Opinion Review or a focused supplemental analysis, that is the engagement to scope, not a full subrogation reconstruction.
Threshold Four: The Third Party Has No Recoverable Position
Subrogation economics depend on the target’s ability to satisfy a recovery. A small MSP with limited E&O coverage and modest assets may not be a recovery target regardless of how clean the causation chain is. A software vendor with contractual limitation-of-liability clauses that cap exposure at the license fee paid may produce a recovery that does not justify the work.
This is counsel’s analysis, not the forensic lab’s, but the lab should ask the question early. Hexmortem does, because committing forensic work product to a recovery that cannot be collected serves no one.
When Subrogation Forensics Is the Right Engagement
The inverse of the four thresholds is the engagement profile that does work: a recovery target sized in the seven or eight figures, a causation theory supported by artifacts that survive in the post-incident record, a gap between what the original IR report establishes and what subrogation counsel needs, and a third party with the position to satisfy a recovery.
When those four conditions hold, Subrogation Forensics produces work product structured for the standards counsel must meet — drafted from the outset for the recovery panel, the arbitration, or the litigation that will test it.
When they do not, the honest answer is that the engagement should not proceed. Hexmortem operates as a forensic lab without a live IR practice or carrier retainer relationships, which is the structural reason it can give that answer without a revenue interest in the alternative. If the matter on your desk is at the stage where these thresholds need to be tested against the artifacts that actually remain, that is the conversation that should come before the engagement letter.