The Securities and Exchange Commission (SEC) must do more to improve its defences against cyber attacks, says the US Government Accountability Office (GAO).
Wall Street's top regulator is failing to consistently protect its network boundaries, authenticate users and encrypt sensitive information while in transmission, says the GAO in its report.
The report says that the SEC has resolved 47 of 58 recommendations made by the GAO in a 2015 audit but is still falling short in several areas such as authorising access to resources and auditing and monitoring actions taken on its systems and network.
In addition, the report finds another 15 new "control deficiencies" that are holding back the SEC's ability to protect itself. Among these are a failure to consistently control logical access to financial and general support systems and using unsupported software to process financial data.
These weaknesses exist, in part, because the SEC did not fully implement key elements of its information security programme, says the GAO. For example, the watchdog did not maintain up-to-date network diagrams and asset inventories in its system security plans for its general support system and its key financial system application.
The report says that while the issues it has found do not constitute a "material weakness or significant deficiency", they warrant SEC management attention, prompting another 26 recommendations.
"Until SEC mitigates these deficiencies, its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise," says the GAO.
The SEC has concurred with the recommendations.