HM Treasury has published a Budget Information Security Review in response to incidents ahead of the 2025 Budget. The document folds in the National Cyber Security Centre’s analysis of the OBR’s prematurely available Economic and fiscal outlook and the Cabinet Office’s inquiry into a 13 November Financial Times income tax article. The government says all recommendations will be implemented in full. (gov.uk)

The NCSC’s technical report confirms there was no hostile cyber activity. Instead, a WordPress configuration issue on the OBR site, compounded by caching, made the EFO accessible before the Chancellor spoke. Additional logs show at least 24,701 downloads of the November 2025 report, rather than the 43 initially identified, and 16 successful accesses of the March 2025 EFO. (assets.publishing.service.gov.uk)

What changes from here is largely operational. The Review mandates embedded IT controls that block email attachments, limit access to named lists, and restrict printing or downloading, with full audit trails. These controls will be tied to a new “BUDGET - MARKET SENSITIVE” label so the tightest rules automatically follow the most sensitive material. Fewer officials will routinely see this content. (gov.uk)

Publishing is also being centralised. The March 2026 EFO will be released on the OBR’s behalf by the Treasury via GOV.UK, with a longer‑term plan for the OBR to use GOV.UK for market‑sensitive outputs permanently. The NCSC explicitly recommends GOV.UK for these releases to reduce technical risk. (gov.uk)

Crisis handling will be formalised. HM Treasury and the OBR will work with the Bank of England on a shared protocol to manage any future breach, reflecting how quickly fiscal documents can ripple through gilts, sterling and equity markets. (gov.uk)

The Macpherson Principles remain in force. That means the economic and fiscal projections, the overall fiscal judgement, and specific tax rates, reliefs and allowances must not be pre‑briefed to media or the public, even as officials tighten day‑to‑day controls. (gov.uk)

For investors, the signal is straightforward: expect tighter Budget lock‑ins and fewer hints in the run‑up to fiscal events. A formal market‑sensitive label should cut ambiguity for communications teams and remove the grey area around what can be discussed before the speech.

Centralising EFO publication on GOV.UK reduces the operational risk that tripped the OBR-misconfigurations, caching quirks and url‑guessing-while access controls that disable downloads and printing lower mishandling risk. For research desks, plan for the EFO to drop on GOV.UK and build alerts accordingly.

The OBR has already undertaken its own investigation, and its chair, Richard Hughes, resigned on 1 December 2025-an indication that publication security is now seen as a governance issue as much as an IT one. (obr.uk)

Near term, parliamentary scrutiny will track implementation. The Commons Science, Innovation and Technology Committee is taking evidence on data security across government on Tuesday 10 February 2026, with ministers expected to face questions on the Review’s rollout. (committees.parliament.uk)