“Hidden” vendors can account for a significant volume of day-to-day transactions, accessing and storing vast amounts of plan participants’ personally identifiable information(“PII”) and personal health information (“PHI”). The delegation tactics used by employee benefit plan service providers place a premium on third-party risk management (“TPRM”) as a strategy.