Registrars have a responsibility to secure their infrastructure and data. Inevitably, some will be irresponsible, as appears to have been the case here. How are customers supposed to know about that before it’s too late? How would an average registrant make an informed decision? When all this is over, how will any of us know whether Epik has resolved the underlying issues?
Security audits work best when they’re performed regularly by different auditors. There are security auditors who will sign off on lousy security, but if you’re required to go to a new company each time, you’re not going to get away with the security flaws present at Epik for very long. Personally, I would like to see ICANN enforce annual security audits. That’s not to blame ICANN for what happened, but it would be a nice improvement to their policies that would help address the threats we’re seeing today.