Foreign policy and national security are driving some of the key developments in corporate compliance in 2013 — including a potentially massive new reporting regime for companies that use so-called “conflict minerals” in their products.

At December’s National Law Journal Regulatory Summit, three experts on corporate governance and compliance examined the compliance landscape in the year ahead.

The panel was led by Susan Markel — a former SEC enforcement division official and managing director at AlixPartners, a corporate consulting firm — and included Jodi Avergun, a partner at Cadwalader, Wickersham & Taft, and Catherine Razzano, assistant general counsel at General Dynamics Corp. Among the issues they identified:

CONFLICT MINERALS: It’s a short list — just four minerals mined in areas where conflict and human rights abuses are common: gold; columbite-tantalite; cassiterite; and wolframite. But new U.S. Securities and Exchange Commission reporting rules around their use will mean a major compliance effort for many companies. The first disclosures aren’t due at the SEC until May 31, 2014, but given the scope of the rules, that date is right around the corner. Companies must examine their entire supply chain to ensure that they are capturing all possible ways that the minerals may make it into their products. And the costs of doing so will be substantial: The SEC estimates that 6,000 public companies will be affected and that industry will pay as much as $4 billion to set up compliance programs (though some industry estimates run as high as $16 billion). Annual costs for companies covered by the rule are expected to hit $300 million annually. “Some companies think this will be more expensive than Sarbanes-Oxley,” Markel said.

IRANIAN INTERESTS: Last year, the federal government strengthened sanctions against the government of Iran — and in doing so, closed loopholes that allowed American companies contact with the country, however limited. By February 6, U.S.-based multinationals and any of their overseas affiliates must disclose contacts with Iran to the SEC. For large companies with complex, global operations that may mean a top-to-bottom review of their entire supply chain.

CYBERSECURITY: In October 2011, the SEC issued guidelines that companies should report security breaches that compromise customer information. More than a year later, the fallout continues, as companies adjust their financial disclosures to encompass cyberattacks. For companies deemed a part of the nation’s critical infrastructure (such as banks and utilities), more regulation lies ahead: The Obama administration is soon expected to issue an executive order that creates new cybersecurity standards and additional reporting requirements.

WHISTLEBLOWER RULES: The Dodd-Frank Act gave whistleblowers new incentives to tip off the SEC about bad corporate behavior: They get to keep a percentage of monetary sanctions should their information pan out. In August, the SEC paid its first bounty — $50,000 — in August. Expect far more ahead: The program is still new, and a cadre of qui tam attorneys is gearing up to help push whistleblowers with useful information to the SEC. Said Markel of AlixPartners: “The idea that things can be kept secret in your company is no more.”