Denial-of-service attacks on corporate websites, such as those launched by WikiLeaks supporters last week, are relatively rare, but risk mangers and information technology leaders should be prepared for the threat, experts say.

PayPal, the online payment operation owned by eBay Inc., and the websites of MasterCard Inc. and Visa Inc., among others, were hit by denial-of-service attacks, reportedly by WikiLeaks' sympathizers, after the companies' refusal to process contributions to the secret-revealing nonprofit website.

Despite the attack, MasterCard said it had “made significant progress” in restoring full service to its corporate website, and its cardholder account data was not put at risk. “While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally,” MasterCard said in a statement.

Visa did not respond to a request for an interview.

PayPal said attempted attacks slowed its website “for a short while, but did not significantly impact payments” and that it was fully operational.

Anonymous, a loose coalition of Internet activists, reportedly claimed credit for the retaliatory denial-of-service attacks.

While such attacks are unusual, experts say they are a real threat.

“It validates what we've been cautioning our insureds about for the past decade,” said Tracey Vispoli, worldwide cyber security product manager for Chubb Group of Insurance Cos. The attempted shutdown of the websites “is an eye-opening story for businesses to remind themselves that they're not immune to these events,” she said.

In December, shortly after WikiLeaks published 251,287 U.S. embassy cables, Swiss Post's PostFinance banking unit closed the account of WikiLeaks founder Julian Assange, saying the Australian citizen provided false information regarding his place of residence. Soon afterward, hackers overloaded PostFinance's website with clicks, making it unavailable for about a day.

Despite the attack, a media spokesperson for Swiss Post, said money in the accounts held by the company never was in jeopardy.

“Fortunately, it was not a day when people normally pay their bills,” he said. “It's hard to say how much the attack cost us.”

He also declined to detail steps his company took to prevent another attack.

According to the 2010/2011 Computer Security Institute “CSI Computer Crime and Security Survey,” only 17% of the 351 respondents have suffered a denial-of-service attack like those last week, down from 29% in 2009. And among losses suffered from various types of computer crime, only two cases were large losses—about $20 million and about $25 million. Discarding those two, the average loss across the group was less than $100,000 per respondent.

Robert Parisi, New York-based national practice leader for technology, network risk and telecommunications at Marsh Inc., said he has seen very few insurance claims due to denial-of-service attacks. That is because few companies purchase the property portion of cyber liability insurance, which would cover lost revenues. Those that purchase the coverage most likely were able to get their computers back up and running quickly enough so the coverage was not triggered, he said.

Meanwhile, experts say politically motivated hackers typically target well-known companies that are more likely to generate news headlines—the same companies that tend to have the most IT security resources.

Ben Greenbaum, Calgary-based senior research manager for Symantec Security Response, said the seriousness of an attack depends on the nature of the company's business.

“If it's just a vanity website and the company does most of its business over the phone or via letters and faxes, it won't affect them much, but companies that solely serve their customers on the Internet can see their earnings wiped out for the duration of the attack,” he said.

Still, Mr. Greenbaum said, such attacks don't result in the permanent loss of confidential data.

Lisa Sotto, head of the privacy and information group at Hunton & Williams L.L.P., advises clients to have a direct response team in place, handling issues ranging from how to deal with public relations to how to manage service providers should such an attack occur.

She also said it is wise for companies to assess which security approaches and products might be useful to avoid attacks, balancing the need for security with the need to conduct business.

Ben Beeson, a London-based partner at Lockton Inc., said the WikiLeaks story offers a lesson on the importance of an employer knowing its employees.

“You hear a lot about encryption software, intrusion detection systems, firewalls and so on, but people focus on that too much,” Mr. Beeson said. “They need to think about the people risk.”

One step he recommends companies take to protect themselves from external and internal threats is conducting background checks on employees who have access to sensitive information.