The General Accountability Office said weaknesses remain in the way the Securities and Exchange Commission maintains security over its financial systems and data, despite making progress in improving measures since September 2014 – the last time GAO looked at the SEC’s cybersecurity program. Among other shortcomings, the SEC did not “consistently protect its network from possible intrusions, identify and authenticate users, authorize access to resources, audit and monitor actions taken on its systems and network, and restrict physical access to sensitive assets,” claimed GAO. GAO also said that the SEC did not consistently ensure that its hardware and software are configured with appropriate security features; did not always divide incompatible duties among separate persons so that one person does not control all steps of a process; and did not maintain updated business contingency and disaster recovery plans. Although GAO did not determine that the SEC’s failure constituted a material weakness, it concluded that, in aggregate, the SEC’s oversight flaws increase the risk that the “SEC’s financial information and systems [are] exposed to increased risk of unauthorized disclosure, modification, and destruction.” GAO determined that the SEC’s failures resulted from its failure to “effectively implement” elements of its own information security program. GAO is an independent, non-partisan federal agency that supports Congress in ensuring that US government funds are spent “efficiently and effectively.”