SEC Fails to Take Some Basic Cybersecurity Precautions

The 27-page report by the Government Accountability Office found the Securities and Exchange Commission did not always fully encrypt sensitive information, used unsupported software, failed to fully implement an intrusion detection system and made missteps in how it configured its firewalls, among other things.

“Information security control deficiencies in the SEC computing environment may jeopardize the confidentiality, integrity, and availability of information residing in and processed by its systems,” the GAO said.

“Until SEC mitigates its control deficiencies, its financial and support systems and the information they contain will continue to be at unnecessary risk of compromise.”

The SEC, as Wall Street’s top regulator, houses a tremendous amount of sensitive and confidential information that it must closely safeguard to protect against identity theft or efforts by cyber criminals who might want to use the information for insider-trading or harming U.S. equity markets.

Get Data Sheet, Fortune’s technology newsletter.

The GAO report did give credit to the SEC for making improvements, saying that since September 2016, the agency had resolved 47 of 58 different recommendations previously made by the watchdog office.

However, the GAO noted that 11 recommendations to protect against cyber intrusions remain outstanding, and another 15 new control deficiencies were identified in the GAO’s latest review.

For more about cybersecurity, watch:

Among some of its new recommendations include maintaining up-to-date network diagrams and performing continuous monitoring on its operating systems, databases and network devices.

In a July 14 letter, SEC Chief Information Officer Pamela Dyson said the agency concurs with the recommendations and that it has fixed or plans to fix the problems that were identified.

An SEC spokeswoman did not comment beyond the letter responding to the GAO’s conclusions.