Two days after the Securities and Exchange Commission said it would monitor investment advisors more closely on cybersecurity, a General Accountability Office report faulted the agency Thursday for its own lapses in this area.

The GAO, Congress’s investigative arm, said improvements are critical because the SEC’s increased reliance on computer networks exposes it to threats from foreign nations, criminals, hackers and disgruntled employees.

The SEC placed financial data at risk by not consistently controlling access to its networks, servers, applications and databases, said the report, which cited the agency’s inadequate password protection for identifying and authenticating users.

The agency also used insufficient encryption when sending data, the GAO said, and failed to limit physical access to its main data center.

“For example, system administrators’ workstations were located in an open area that was accessible by all personnel with access to the SEC headquarters,” said the report. “The insufficient physical access control …reduces [the agency’s] ability to protect the system from unauthorized access.”

The financial regulator was also chided for not updating its data information technology contingency and disaster recovery plans.