While natural disasters such as earthquakes, tsunamis and flooding have disrupted supply chains around the world, cyber attacks pose even greater risks as companies rely more on computers and the Internet to conduct their business.

In a report last month backed by the Washington-based Bipartisan Policy Center and the University of Pennsylvania's Annenberg Public Policy Center, members of the original 9/11 Commission said the growing cyber threat extends well beyond national security to private-sector systems.

“Denial-of-service attacks have tied up companies' websites, inflicting serious economic losses. A Russian teenage hacker may have been behind the massive malware attack on the U.S. retailer Target, compromising the credit-card data of 40 million customers. Increasingly, cyber attacks are targeting smartphones as well,” according to the report.

“Supply chains, especially critical infrastructure supply chains, can potentially be very vulnerable to hacking and malware attacks and, depending upon the attacker's motivation, susceptible to business interruption and extra expense exposure,” said Ken Goldstein, Hartford, Connecticut-based vice president and worldwide cyber security manager at Chubb Corp.

Rick Dakin, Louisville, Colorado-based CEO and chief security strategist at advisory firm Coalfire Systems Inc., said risk managers need to consider the vulnerabilities of the computers that power everything from a company's internal operations to external systems such as electricity, water, roads and airports.

“Technology is driving vulnerabilities into supply chains, which are not that good at self-healing,” Mr. Dakin said.

What's more, the software powering industrial systems is less likely to be thoroughly screened for vulnerabilities than traditional enterprise software, he said.

“There's probably not a single device in your water or electricity system that was properly tested in a lab for cyber vulnerability before being deployed in the field,” Mr. Dakin said. “So we are essentially testing devices already in the field, and it's a race between us and the hackers.”

Jon Boyens, Gaithersburg, Maryland-based senior adviser for information security at the National Institute of Standards and Technology, said risk mangers need to concentrate on the intersection of cyber and supply chain risks.

“Defending the supply chain from cyber risk is a very nascent discipline right now,” Mr. Boyens said. “It's about where traditional supply chain risk management was 10 or 15 years ago.”

Indeed, Sandor Boyson, research professor and co-director of the Supply Chain Management Center at R.H. Smith School of Business at the University of Maryland, argued in a recent research paper that a new approach is needed to deal with cyber supply chain risk: melding the disciplines of enterprise risk management, supply chain management and cyber security to address the issue.

Companies may want to alter internal operations in other ways to avoid a cyber-caused disruption of their supply chain, such as a manufacturer holding more raw materials in storage instead of relying solely on just-in-time deliveries.

“Space in warehouses is expensive, but what if somebody takes out your weekly shipment?” said Dena L. Magyar, Charlotte, North Carolina-based vice president and national practice leader in the professional risk group at Wells Fargo Insurance Services USA Inc.

Companies need to be keenly aware of their cyber and supply chain risks as well as the limits of cyber, business interruption and general liability policies when buying insurance, Ms. Magyar said.

“There are types of insurance that cover business interruption, but they usually don't address infrastructure failures such as Internet services,” she said.

“Some business interruption policies don't cover "wild' nontargeted viruses such as the "heartbleed' virus, and that's probably what you are most at risk for,” she said.

As for stand-alone cyber coverage, limits offered are often insufficient and often are too narrowly focused to cover broader cyber-related risk.

“A couple years ago when we first looked at cyber insurance, the policies excluded everything under the Sun, and we were looking for something more broad and manuscripted,” said Kristy Harris, Dallas-based senior analyst of corporate insurance at Southwest Airlines Co. “We were concerned with system failure and not just cyber breach.”

However, after meeting with several underwriters during the spring, Ms. Harris and her team were able to work with unnamed insurers to craft a cyber policy meeting the breadth of the airline's cyber risks with sufficiently large limits.

“We had a set number in mind for limits, and we were able to get it and also get one of the lowest retentions,” she said. “We didn't think we were going to be able to get either of those, but they both came through, and we are really proud of the product we came out with.”

The cyber risk is one that does not look to go away, according to the former 9/11 Commission members' recent report.

“The Internet's vulnerabilities are outpacing the nation's ability to secure it. Just as the United States needs to protect its physical infrastructure, so too must we protect the cyber domain,” the group said in recommending that Congress pass cybersecurity legislation and streamline its oversight of cyber security issues.