The report found that the SEC has corrected or mitigated only eight of 51 weaknesses cited by the GAO in a report last year, a response the oversight office of the U.S. Congress called inadequate. The report identified 15 new vulnerabilities in addition to those on last year's list.

Corrective actions taken by the SEC over the past year include replacing a vulnerable, publicly accessible workstation, and developing and implementing change-control procedures for an undisclosed major application.

The report found that the financial regulatory agency has not yet effectively controlled remote access to its servers, established adequate controls over passwords, or managed access to its systems and data. In addition, the SEC has yet to securely configure network devices and servers or implement auditing and monitoring mechanisms to detect and track security incidents.

Weak controls

Most of the newly discovered weaknesses are related to electronic-access controls such as user accounts and passwords, access rights and permissions, and network devices and services, the GAO said.