diff --git a/proposals/4140-delayed-events-futures.md b/proposals/4140-delayed-events-futures.md
index 26939f3fb..baabec9f7 100644
--- a/proposals/4140-delayed-events-futures.md
+++ b/proposals/4140-delayed-events-futures.md
@@ -585,8 +585,13 @@ The following alternative names for this concept are considered
 
 ## Security considerations
 
+All new endpoints are authenticated.
+
 Servers SHOULD impose a maximum timeout value for future timeouts of not more than a month.
 
+As described [above](#power-levels-are-evaluated-at-the-point-of-sending), the homeserver MUST evaluate and enforce the
+power levels at the time of the delayed event being sent (i.e. added to the DAG).
+
 ## Unstable prefix
 
 Whilst the MSC is in the proposal stage, the following should be used: