GAO auditors have identified weaknesses in information security controls at the Securities and Exchange Commission. The SEC had not consistently or fully implemented controls for identifying and authenticating users, authorizing access to resources, ensuring that sensitive data are encrypted or auditing actions taken on its systems. SEC also had failed to install patch updates on its software, exposing it to known vulnerabilities, which could jeopardize data integrity and confidentiality. SEC policy requires use of complex passwords and account lockout after unsuccessful log-in attempts, as well as disabling inactive accounts.”]
Source: https://www.govinfosecurity.com/secs-financial-information-at-risk-a-4679