SecurEmail — Communicating safely with KPMG Germany

Functioning

KPMG's SecurEmail system offers webmail access for the secure exchange of messages or encryption using S/MIME certificates or PGP keys. The external recipient can switch between the two methods at any time via user settings in the webmail interface.

Webmail access:

Use of webmail access for secure communication is always initiated by the KPMG employee.

When a message (including attachment) is sent to an external recipient via SecurEmail, a mailbox for this recipient is set up on a specific secured server at KPMG's computer center; email is stored here in encrypted format. At the same time, the recipient receives an email in unencrypted format containing information about the receipt of a message from a specified sender and a login link for the mailbox.

For the initial log-in, the account holder needs a valid one-time password, which is transmitted to him/her by the sender (KPMG employee). A change of password is required after the first log-in. In the process, two security questions and related replies need to be stored. These security questions enable a forgotten password to be restored autonomously.

The message is transmitted in encrypted form between the KPMG server and the SecurEmail mailbox on the recipient's computer. Messages and attachments can be read and saved on the webmail interface. Email is stored until the recipient deletes it from the SecurEmail mailbox. The recipient can download and save the messages on his/her computer beforehand. Once the recipient has collected the message, the sender is informed of this via email.

Replies (including attachments) can be sent via the same secure method. New messages can also be created. These can be addressed to other KPMG employees, provided they have an account on the SecurEmail system.

S/MIME and PGP encryption:

In addition to the aforementioned webmail access, email messages can also be encrypted using the S/MIME or PGP standard. Using these methods, the email is directly transmitted to the recipient's email address.

In order to use these methods, participants must have valid S/MIME certificates or a PGP key and have exchanged these beforehand.

• KPMG employee sending to an external recipient:

In order to deliver an encrypted email directly to the recipient's mailbox, the KPMG SecurEmail system needs to know the recipient's public key. Through the one-time mailing of a signed email (alternatively mailing the public PGP or S/MIME key as an attachment to an email to keystore@kpmg.de, the external recipient's public key is stored in the KPMG SecurEmail system. Emails that are already waiting and all future emails will be automatically encrypted with this key and transmitted to the recipient.

The KPMG employee sends an email to this recipient via Outlook as usual, but selects the 'encrypt' option which appears as a prompt after 'send'.

• External sender sending to KPMG employee:

If an external sender wishes to send an email encrypted via S/MIME or PGP to a KPMG employee, he/she can request the employee's public key via the webmail page https://securemail.kpmg.de and the related interface ('request key') An account on the system is not required for this. After entering the email address of the KPMG employee and the sender, the corresponding data is sent to the external sender via email.