A new survey out Wednesday finds that the energy and utilities industries rank the lowest when it comes to computer and information security risk management.

The third biennial survey by the Carnegie Mellon University CyLab comes as Congress is considering legislation to mandate cybersecurity measures in critical industries.

The survey of 108 global companies also found that the financial sector had the best risk management practices.

Overall, the statistics are grim.

For instance, although 91 percent of the respondents — all executive board or senior executive officials — indicated that risk management was being actively addressed, only 29 percent said they were paying attention to information technology operations, 33 percent to computer and information security and only 13 percent to management of vendors who provide software and other crucial services, the study found.

The lack of attention paid to security risk management by the energy and utility sectors is disturbing given the degree to which operations and processes are controlled by information technology systems, the report said.

In a comparison of industries, the study found that 57 percent of energy and utility company executives who responded rarely or never reviewed security program assessments. That compares with 17 percent for the financial sector.

John Dickson, a principal at Denim Group and a cybersecurity expert who works closely with Fortune 500 companies, said the results are consistent with what he has seen in industry. Although the financial sector generally has better security, he said, the threats those firms face come from criminals based in Eastern Europe. What concerns him are the “nation-state guys” going after the electric and other utilities, who have greater capabilities to disrupt, damage or destroy networks and the information in them, he said.