Summary
- MGM Resorts' September 2023 cyber incident became an accountability test because the operational symptoms were visible to guests, employees, payment partners, regulators, and investors while the underlying identity and system-control facts were still being reconstructed.
- MGM's public filings show a sequence from initial cybersecurity issue disclosure to later statements about data exposure, business interruption, estimated expenses, and insurance. Those filings matter because public-company disclosure is part of the control record, not a separate communications exercise.
- The identity-control question sits at the center of the case. Public-sector Scattered Spider advisories describe the threat pattern of social engineering, help-desk abuse, SIM swaps, MFA fatigue, and privileged access. Those advisories are threat context, not a complete MGM forensic report, but they show why help-desk identity proofing is an operational control.
- Detection and disclosure delay should not be measured only by the first public statement date. The useful question is when MGM could identify the access path, limit the blast radius, preserve service continuity, tell customers what risk they faced, and give investors a reliable view of cost and recovery.
- A credible repair record after a hospitality identity incident should show stronger identity proofing, privileged reset controls, service-continuity fallbacks, evidence preservation, customer notice clarity, and a disclosure process that does not hide operational uncertainty behind generic cyber language.
A hotel incident becomes public before the forensic picture is complete
Hospitality incidents have a way of becoming public before the technical record is ready. A guest cannot check in. A reservation desk changes procedure. A loyalty account stops behaving normally. A payment system is degraded. Employees improvise with offline processes. Social media fills the gap between visible disruption and official explanation. That is why MGM's 2023 incident is a detection and disclosure problem, not only an intrusion problem.
MGM Resorts filed an initial Form 8-K on September 13, 2023, available in the SEC archive as MGM Resorts International Form 8-K. The attached company statement, Exhibit 99.1, said MGM had identified a cybersecurity issue affecting some systems, started an investigation, notified law enforcement, and taken prompt action to protect systems and data, including shutting down certain systems. That early filing did not and could not answer every customer question. It did establish that the incident had moved into the public record.
The next accountability layer came weeks later. MGM's October 5, 2023 Form 8-K, filed with the SEC, and the company investor-relations update, MGM Resorts update on recent cybersecurity issue, described operational restoration, data determination, estimated expenses, insurance expectations, and customer information categories. The company said the incident caused disruption across properties and that it expected a negative adjusted property EBITDAR impact in the third quarter. That moved the story from "systems affected" to "measurable business and customer risk."
Detection delay lives in the space between those two filings. An organization may know quickly that something is wrong, but still need time to know what happened, which systems are trustworthy, whether customer data was accessed, whether an attacker remains present, what the cost may be, and what notices are required. That delay is not automatically blameworthy. It becomes an accountability issue when customers, employees, regulators, and investors carry harm while the facts remain too vague to guide action.
Public reporting by the Associated Press, including coverage of casino and hotel system issues, showed why ordinary users do not experience a cyber incident as a forensic timeline. They experience it as friction at the front desk, uncertainty about reservations, degraded payments, and anxiety about personal data. Reuters reported on links made by sources between the breach and Scattered Spider in coverage of the MGM incident. Such reporting should not replace MGM's own filings, but it shows the market of information in which customers and investors had to act.
That market can punish silence and overstatement. If a company says too little, customers fill the gap with rumor. If it says too much too early, it may mislead. The accountable middle is not perfect certainty. It is staged candor: what is known, what is not known, which services are affected, which customer actions are warranted, which systems are being restored, and when the next update will arrive.
Identity proofing was not back-office detail
Identity controls in hospitality often look like back-office technology until they fail. Help desks reset accounts. Employees use remote support. Contractors and vendors need access. Loyalty systems connect guests to rewards and stored information. Reservation systems connect rooms, payments, and service requests. Privileged resets can become the door through which an attacker reaches business operations. In that environment, identity proofing is not administrative hygiene. It is service-continuity infrastructure.
CISA, the FBI, and partners published advisory AA23-320A on Scattered Spider, also available as a PDF. The advisory describes tactics such as social engineering help desks, SIM swapping, MFA fatigue, identity-provider compromise, data theft, and extortion. The article should not treat every listed tactic as proven in MGM's environment. Its value is that it identifies the control family that mattered across this class of incident: identity, help-desk trust, privileged access, and response speed.
If a help-desk workflow lets an attacker convert social skill into privileged access, the visible failure may appear days later as system shutdown, guest-service disruption, or public disclosure. The root control is earlier. Who can reset a high-privilege account? What identity evidence is required? Can a help-desk employee override MFA? Are suspicious reset requests escalated? Does the system detect a new device, new SIM, new authenticator, or impossible travel after a reset? Can administrators revoke sessions quickly? Those are operational questions.
NIST's Digital Identity Guidelines are relevant because they treat authentication as a set of assurance choices, not a ritual. A hospitality company does not need every employee action to be impossible. It needs sensitive reset flows to be resistant to realistic social engineering. The more a reset can unlock operational systems, the stronger the proofing and monitoring must be.
Incident response guidance matters too. NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide, provides a framework for preparation, detection, analysis, containment, eradication, recovery, and lessons learned. MGM's public record does not reveal every internal step. But the guide explains why early containment may require shutting down systems before the company can confidently describe the whole event. That can be responsible. It can also create visible disruption that needs customer-facing explanation.
The accountable question is not whether MGM should have avoided every identity attack. A realistic standard assumes attackers will target support channels. The question is whether MGM had controls proportionate to the authority those channels carried. If a social-engineered reset can reach hotel operations, loyalty records, payments, or corporate systems, then the reset process is a business-critical control. It deserves the same governance attention as network segmentation or endpoint detection.
Disclosure is part of the recovery mechanism
Public-company disclosure often sounds like a legal overlay, separate from technical recovery. In a cyber incident, it is part of the recovery mechanism. Investors need to understand material cost and operational effect. Customers need to understand data risk and service status. Employees need consistent instructions. Regulators need a record of what the company knew and when. A vague disclosure may reduce immediate legal exposure while increasing operational confusion.
The SEC's 2023 cybersecurity disclosure rule, documented in the final rule PDF Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, and the SEC release announcing the rule, provide the disclosure context. The rule does not decide every fact about MGM. It shows why public companies increasingly need incident processes that connect technical facts to materiality decisions quickly. The disclosure clock is not purely technical, but it cannot run without technical evidence.
MGM's 2023 Form 10-K, filed in February 2024, and later annual filing, 2024 Form 10-K, place the incident inside risk, cost, insurance, and governance language. Annual filings do not provide a full forensic record, but they show how a visible incident becomes part of continuing risk disclosure. The public record therefore has several layers: immediate issue statement, later incident update, annual risk disclosure, and ongoing governance representation.
This layering can help or confuse. It helps if each document adds specificity: affected services, data categories, cost range, control improvements, insurance recovery, residual litigation, and future risk. It confuses if each document repeats generic cyber-risk language without connecting it to the event customers experienced. For an incident that affected hotel and casino operations, the bridge between cyber terms and service terms is crucial.
Customers do not ask whether a filing used the correct risk-factor heading. They ask whether their reservation, payment card, identity document, loyalty account, or personal details are safe. Employees ask whether they can rely on restored systems. Payment partners ask whether transaction flows are clean. Investors ask whether the cost estimate and insurance recovery are credible. Disclosure must serve all of those audiences without pretending that one sentence can satisfy them.
The more visible the operational disruption, the more important update cadence becomes. An early "we are investigating" statement may be appropriate on day one. It becomes weaker if the company does not give structured updates as services restore and data determinations mature. MGM's October 5 update was valuable because it moved beyond the first statement into data categories and business impact. The accountability question is whether that specificity arrived quickly enough for each stakeholder group.
The service floor was part of the evidence
MGM's incident is a reminder that operational evidence may be visible in places far from the security operations center. A front desk running an alternate process, a payment terminal failing, a loyalty account delay, a manual room assignment, a sign-in problem, or a customer-service backlog is not merely anecdote. It is evidence that the control failure has reached the service floor. That evidence should feed the response, not sit outside it.
Hospitality has a distinctive risk profile. A hotel operates twenty-four hours a day, with guests already on property, payments in motion, reservations arriving, employees on shifts, and physical-service obligations that cannot simply pause. Casino operations add regulation, surveillance, cash handling, loyalty systems, and patron controls. When technology is degraded, the organization needs manual processes that are safe, auditable, and customer-legible. A cyber incident tests those manual processes under stress.
MGM's public filings described disruption and cost, but did not and should not expose every operational detail. The public still needs enough information to understand the harm mechanism. If systems are shut down to contain an attack, that may be the correct security decision. The company must still explain how guest services remain safe, how data is protected during manual work, how payments are handled, and how restored systems are validated. Security containment cannot be the only measure of success.
This is where incident response and business continuity meet. A company can eradicate an attacker but fail customers if service restoration is opaque. It can restore a visible service while leaving identity evidence weak. It can notify investors about cost while giving guests little practical guidance. The accountability record must hold those dimensions together.
The FBI's general cyber program page, Cyber Crime, and the Internet Crime Complaint Center, IC3, show the law-enforcement and reporting side of cyber-enabled crime. In an incident like MGM's, law enforcement is part of the ecosystem, but the company remains the party customers see. Notifying law enforcement does not answer whether guests know what happened to their data or whether employees can safely use restored systems.
Operational evidence should also shape insurance and cost estimates. MGM's October filing discussed expected impact and insurance. Those numbers are not only finance. They reflect service interruption, incident response, legal work, restoration, customer notice, and possibly future claims. A board that reviews the incident should ask what costs were visible, what costs remain contingent, and what costs were transferred to customers or partners without appearing directly in MGM's accounts.
Data notice was a separate duty from service restoration
An organization can restore systems before it fully understands data exposure. That is normal. It is also dangerous if service restoration creates the impression of closure. MGM's October 5 update said the company determined that an unauthorized third party obtained personal information of some customers who transacted with MGM before March 2019, including names, contact information, gender, date of birth, and driver's license number for some customers, and in a limited number of cases Social Security number or passport number. That statement created a different duty from restoring operations.
Data notice requires categories, affected populations, protective steps, and published contact points. Service restoration requires system integrity, process recovery, and customer-service capacity. The two can overlap, but they should not be collapsed. A guest whose check-in works again may still need to know whether identity documents were exposed. An investor who hears operations are restored may still need to understand notice cost and liability. A regulator may ask whether the notice was timely and clear.
This separation is especially important in hospitality because identity data is often gathered for ordinary service reasons. Hotels may collect payment details, loyalty information, contact information, identification, travel data, and preferences. Customers may not think of a hotel account as a high-value identity record until an incident exposes how much the business knows. The company has to translate data categories into customer-relevant risk.
The FTC's general data security guidance and NIST SP 800-53 Rev. 5, Security and Privacy Controls, help explain why data minimization, access control, logging, and incident response remain connected after the event. If old customer data is exposed years after collection, the accountability question includes retention. Why was the data still present? Was it required? Was it segmented? Who could reach it? Were older records protected with the same discipline as current operations?
The public record does not answer every retention question. It gives enough to ask them. MGM said some data related to customers who transacted before March 2019 was obtained. That date boundary is meaningful. It raises questions about legacy data stores, business retention, and whether older customer records remained linked to systems that attackers could access. A mature post-incident report would tell the board and regulators how retention changed.
Data notice also has a labor dimension. Customers must read notices, decide whether protective steps are worth taking, watch for fraud, update documents if necessary, and interact with customer support. The company carries direct incident cost; customers carry attention and risk cost. That is part of the accountability ledger.
Typography note
Typography is the art and technique of arranging type to make written language legible, readable, and visually appealing. It involves selecting typefaces, point sizes, line lengths, line-spacing, and letter-spacing.
- Typography originated with the invention of movable type by Johannes Gutenberg in the 15th century.
- Key elements include font selection, kerning, tracking, and leading.
- Good typography enhances readability and conveys mood or tone in design.
Residual unknowns and the accountable question
The MGM public record is substantial but incomplete. It does not reveal the full initial access path, the exact help-desk interaction record, every identity-control decision, every affected system, or every service-restoration tradeoff. Public reporting connected the incident to Scattered Spider; public-sector advisories explain the threat pattern; MGM filings describe company actions, data determinations, and cost. Responsible analysis should keep those layers separate.
The accountable question is who controlled the conditions that made the incident visible, expensive, and hard to close. MGM controlled identity proofing, privileged reset workflows, segmentation, monitoring, service-continuity planning, data retention, customer notice, and public-company disclosure. Attackers controlled the malicious campaign. Customers controlled only a small part of the risk once hotel systems and data stores were affected. Regulators controlled disclosure and enforcement expectations. Investors and insurers assessed the cost after the fact.
No single statement resolves those duties. "We notified law enforcement" does not answer whether identity resets were safe. "Systems are restored" does not answer whether data notice is complete. "Insurance is expected to cover some cost" does not answer whether service-floor resilience improved. "Threat actors used social engineering" does not answer whether help-desk proofing matched the authority being granted.
The durable lesson is that hospitality identity is operational infrastructure. A password reset, MFA enrollment, support call, or privileged session can become the path through which guest services, reservations, payments, loyalty, and regulatory obligations are disrupted. The help desk is therefore not a peripheral cost center. It is part of the control plane.
Boards should ask for evidence in that language. Which reset flows can unlock operational systems? Which roles can bypass MFA? How are high-risk callers authenticated? What happens if a threat actor compromises an identity provider? Which systems can be operated manually, and how is manual work later reconciled? How quickly can the company tell customers which data categories were affected? What cost and insurance assumptions depend on facts still under investigation?
For public disclosure, the lesson is staged specificity. Early notice should identify disruption and investigation without pretending certainty. Later notice should add data categories, business impact, customer actions, recovery status, and residual risk. Annual filings should explain governance improvements rather than merely recycling generic cyber-risk language. Customers and investors can tolerate uncertainty better when it is named.
MGM's incident should not be remembered only as a hotel cyber outage. It is a case in which identity controls, service continuity, public notice, and disclosure timing converged. The next hospitality provider facing a similar event will be judged not only by whether it ejects the attacker, but by whether the public can see what changed: stronger proofing, faster detection, safer fallback operations, clearer notices, and a board record that treats identity as the service infrastructure it has become.
The repair record should reach the front desk
A useful after-action record should be legible to the people who absorbed the incident. Security teams need technical fixes. Guests and employees need operational confidence. A front-desk manager does not need the name of every malware family; they need to know which systems can be trusted, which manual processes apply, and how to answer customer questions without improvising. A loyalty-program administrator needs to know whether account access and customer support scripts changed. A payment operations team needs to know whether degraded flows created reconciliation gaps.
That means incident repair should be translated into role-specific evidence. For help-desk employees: new proofing rules, escalation triggers, and suspicious-request examples. For property managers: manual service procedures and restoration checkpoints. For executives: cost, insurance, legal exposure, and control improvements. For customers: data categories, protective steps, support contacts, and realistic expectations. For regulators: timelines, affected systems, notices, and governance changes.
MGM's public documents naturally focus on investor and public notice. The internal repair record should be broader. It should show whether identity proofing was hardened, whether privileged reset authority was reduced, whether social-engineering training became control-backed rather than awareness-only, whether session revocation improved, whether offline continuity processes were tested, and whether customer-data retention was tightened. Each of those changes maps to a different stakeholder harm.
There is also a supplier lesson. Hospitality groups depend on reservation platforms, payment processors, identity tools, casino systems, building systems, and cloud services. If an identity incident forces system shutdown, supplier contracts decide who can help restore, who provides logs, who supports manual work, and who bears recovery cost. Detection delay is often worsened by unclear supplier evidence. A post-incident procurement review should ask whether vendors can deliver usable logs and emergency support within hours, not days.
The strongest evidence of repair would not be a public claim that the company is now secure. It would be a set of measurable tests: simulated help-desk social engineering blocked by proofing rules; privileged reset attempts detected and escalated; manual front-desk procedures exercised; data-retention exceptions closed; cyber incident materiality decisions rehearsed; customer-notice templates pre-cleared but fact-dependent; and property-level staff trained on degraded operations. Those tests are mundane. That is their virtue. They are closer to the real failure path than a broad statement about cybersecurity investment.
The final accountability standard is simple to state. If a threat actor targets hospitality identity again, the company should be able to prove that a human support interaction cannot quietly become enterprise control, that service continuity does not depend on improvised workarounds, and that disclosure can mature from "we are investigating" to useful facts quickly enough for customers and investors to act.
Materiality depends on operational translation
The MGM record also shows why cyber materiality cannot be assessed only inside a security team. A security team may know that identity systems are impaired, that endpoint recovery is underway, or that a containment choice is prudent. Investors and customers need a different translation: which revenue-generating operations are impaired, which customer data may be exposed, how long manual processes can hold, what cost is accumulating, and which facts remain uncertain. If the translation is slow, the disclosure may be technically cautious but operationally thin.
Materiality is not a magic number that appears after the incident is over. It is an evolving judgment under uncertainty. MGM's October update supplied an estimated adjusted property EBITDAR impact and expense context, but those estimates were available only after the company had more facts. The accountability question is how the company moved from operational signals to investor-relevant information. Which service outages were tracked? Which properties were affected? Which customer-service metrics mattered? Which cyber response costs were capitalized, expensed, insured, or still contingent?
Which data-exposure facts changed legal and notice obligations?
An organization that waits for complete certainty may disclose too late. An organization that discloses too early without guardrails may misstate scope. The stronger approach is to define evidence thresholds before a crisis. For example: a cyber event affecting check-in across major properties triggers an operational continuity disclosure review; confirmed access to historical customer identity data triggers a customer-notice workstream; projected business interruption above a threshold triggers finance and insurance escalation; uncertainty about attacker persistence triggers a narrower restoration claim.
Those thresholds are governance controls, not public-relations preferences.
The same translation discipline should apply internally. A property leader needs to know whether to trust a system, not whether a forensic image is complete. A customer-service team needs approved language and escalation paths. Finance needs to know which costs are incident-related. Legal needs to know whether data categories cross notice thresholds. Security needs authority to keep risky systems offline even when the service floor wants them back. Detection delay becomes more harmful when those translations are improvised.
This is where public-company disclosure and business continuity meet. A mature board pack after the MGM incident should show the decision chain from technical event to operational effect to materiality review. It should not be a single cyber slide. It should show timelines, affected functions, systems deliberately shut down, service workarounds, data categories under review, expected insurance recovery, customer notice status, regulator contact, and unresolved uncertainties.
That record lets the board see whether delay was caused by missing logs, unclear ownership, conservative legal review, incomplete business-impact measurement, or genuine forensic complexity.
If the board cannot tell why disclosure matured when it did, the organization has not learned enough. The point is not to punish every delay. It is to know whether the next event can be translated faster.
Help-desk security should be tested as a revenue control
The Scattered Spider advisory makes one governance point especially clear: help-desk security is not soft training around the edge of the business. It can be the control that protects revenue systems. A hospitality company may invest heavily in endpoint detection, network monitoring, and backup, yet still allow a caller to convert social pressure into an account reset. If that reset opens privileged access, the help desk becomes a control plane.
The fix cannot be only more awareness. Employees should know how social engineering works, but awareness fails under pressure, fatigue, urgency, and plausible internal language. The process itself must be designed to withstand manipulation. High-risk resets should require phishing-resistant verification, supervisor approval, callback to known channels, device posture checks, session review, and automatic alerting. Privileged resets should be rare, logged, time-bounded, and reviewed. If an employee claims to have lost every authenticator, the process should treat that as a security event, not a routine support request.
A realistic drill should test the whole chain. Can a fake employee persuade the help desk to reset MFA? Can a contractor account be reactivated without proper sponsor approval? Can a SIM-swap story bypass normal proofing? Can an attacker claiming to be an executive create urgency? Do analysts see the reset, the new device, the new geolocation, and the subsequent privilege use? Can the organization revoke sessions across identity providers quickly? Does the property team know what services depend on that identity domain?
Those tests should be measured like uptime tests. A company would not accept an untested fire alarm. It should not accept an untested privileged-reset process. The metric is not whether every help-desk employee can recite policy. The metric is whether a realistic malicious request fails safely and produces evidence. If the process relies on an employee's courage to say no to a persuasive caller, it is too weak for a business where identity systems can affect property operations.
MGM's public filings do not publish the detailed help-desk path, and responsible analysis should not invent it. But the public-sector advisory gives boards enough reason to ask. Which help-desk flows changed after the incident? Which privileged reset authorities were removed? Which employees received hardware-backed or phishing-resistant MFA? Which identity-provider logs are retained? Which service accounts can be reset by ordinary support? Which third-party support providers share the same identity domain? Those questions should become routine in hospitality governance.
Data retention turns old customers into current risk
The data categories disclosed by MGM make retention a live issue. The October update said some obtained personal information related to customers who transacted with MGM before March 2019. That phrasing matters because customers who last interacted with the company years earlier may not expect their identity data to remain part of current incident risk. Retention is often treated as a legal or storage-cost issue. In cyber incidents it becomes an exposure multiplier.
Companies keep old data for reasons: accounting, legal defense, loyalty history, anti-fraud, customer service, tax, regulatory compliance, analytics, or integration complexity. Some reasons are valid. But every retained record needs a protection story. If older customer records remain reachable by systems compromised in a modern identity incident, then the retention decision has current security consequences. A board should ask whether old data was segmented, minimized, tokenized, encrypted, access-controlled, and logged in proportion to its sensitivity.
This is not only about data volume. Old data can be harder to protect because it lives in inherited platforms, merged databases, archival systems, or operational reports no one wants to disturb. It may have weaker classification, fewer owners, and unclear deletion rules. When an incident occurs, the company may spend precious time figuring out which old systems matter. That delay can slow customer notice and increase legal uncertainty.
MGM's disclosure does not prove improper retention by itself. It does show why retention should be included in the incident after-action. What categories of pre-2019 data were still needed? Were they stored in the same environment as active customer data? Were access rights current? Were retention schedules followed? Did the incident cause MGM to delete, segment, or reduce old data? These questions are fair because the exposed population included historical customers, not only guests in the incident window.
Customers cannot answer those questions themselves. They do not know which records remain. They often cannot delete old hotel transaction records unilaterally. The company controls retention, and regulators evaluate whether the retention and protection were appropriate. That is why data minimization is not abstract privacy theory. It is a way to reduce the number of people pulled into the next cyber incident.
Supplier evidence is part of identity response
Hospitality systems are rarely owned end to end by one company. Reservation platforms, payment processors, loyalty integrations, property-management systems, casino systems, identity providers, endpoint tools, cloud hosting, telecom links, and outsourced support can all participate. During an identity-centered incident, each supplier may hold a different part of the evidence. Logs, authentication records, customer-service scripts, payment status, and restoration steps may sit outside the buyer's direct systems.
That supplier spread affects detection delay. If the company must wait for a vendor to produce logs, or if a vendor cannot separate normal activity from suspicious reset behavior, the response slows. If a vendor's contract does not require emergency support, the company may restore blindly or delay service unnecessarily. If a vendor does not preserve logs long enough, the company may never know whether a reset led to lateral movement. The incident becomes harder to explain to customers and investors.
Procurement should therefore treat cyber incident evidence as a service feature. A hospitality provider should know whether each critical supplier can produce timely logs, support emergency access changes, validate restored services, and participate in customer notice. The contract should define timeframes, evidence formats, notification duties, and cooperation. Otherwise a cyber incident becomes a negotiation over facts while guests are waiting at the desk.
This matters for insurance too. Insurers and claims teams may need proof of cause, loss, mitigation, and recovery. If supplier evidence is missing, cost recovery can be delayed or disputed. The board may see a headline estimate but not the evidentiary weakness underneath. A stronger repair record after MGM would include a supplier-evidence review: which vendors supported the response, which did not, and which contracts were changed.
The operational lesson is that detection delay is often a dependency delay. It is the time needed to gather facts across identity, endpoints, suppliers, properties, legal, finance, and customer service. Reducing that delay requires pre-built evidence paths. That is less dramatic than a malware name, but far more useful for the next event.
The board evidence should outlast the crisis
The final test is whether the board record survives calm review months later. A crisis dashboard can be useful during restoration, but accountability depends on a durable record that shows decisions, assumptions, and evidence. MGM's public filings give outside readers cost, disclosure, and notice anchors. Internally, directors should be able to see when identity-risk signals reached management, when service disruption became material enough for disclosure review, when customer-data categories became reliable enough for notice, and which control changes were approved after the event.
That record should also separate confidence from hope. A claim that systems are back online is not the same as evidence that identity pathways are harder to abuse. A claim that insurance will offset cost is not the same as evidence that business-interruption assumptions are settled. A claim that customers were notified is not the same as evidence that retention and minimization improved. The best post-incident record would connect each lesson to an owner, deadline, test, and board follow-up date.
For hospitality companies, this is the difference between surviving an incident and learning from one. The business can recover revenue before it has repaired governance. The accountability standard asks for the second outcome too.
Typography
Typography is the art and technique of arranging type to make written language legible, readable, and visually appealing. It involves selecting typefaces, point sizes, line lengths, line-spacing, and letter-spacing.
- Typography originated with the invention of movable type by Johannes Gutenberg in the 15th century.
- Key elements include font selection, kerning, tracking, and leading.
- Good typography enhances readability and conveys mood or tone in design.

